Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a

60 %
40 %
Information about Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Technology

Published on March 1, 2014

Author: jderienzo

Source: slideshare.net

Description

http://www.CouncilonCyberSecurity.org
Map the Critical Security Controls (CSC) v4.1 to NIST SP 800-53 Rev.4-final (r6a)

Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–01 Inventory of Authorized & Unauthorized Devices CSC–01 CA–07 Continuous Monitoring CSC–01 CM–08 Information System Component Inventory CSC–01 IA–03 Device Identification and Authentication CSC–01 SA–04 Acquisition Process CSC–01 SC–17 Public Key Infrastructure Certificates CSC–01 SI–04 Information System Monitoring CSC–01 PM–05 Information System Inventory CSC–02 Inventory of Authorized and Unauthorized Software CSC–02 CA–07 Continuous Monitoring CSC–02 CM–02 Baseline Configuration CSC–02 CM–08 Information System Component Inventory CSC–02 CM–10 Software Usage Restrictions CSC–02 CM–11 User–Installed Software CSC–02 SA–04 Acquisition Process CSC–02 SC–18 Mobile Code CSC–02 SC–34 Non–Modifiable Executable Programs CSC–02 SI–04 Information System Monitoring CSC–02 PM–05 Information System Inventory CSC–03 Secure Configurations for Mobile Devices, Workstations, Servers CSC–03 CA–07 Continuous Monitoring CSC–03 CM–02 Baseline Configuration CSC–03 CM–03 Configuration Change Control CSC–03 CM–05 Access Restrictions for Change CSC–03 CM–06 Configuration Settings CSC–03 CM–07 Least Functionality CSC–03 CM–08 Information System Component Inventory CSC–03 CM–09 Configuration Management Plan CSC–03 CM–11 User–Installed Software CSC–03 MA–04 Nonlocal Maintenance CSC–03 RA–05 Vulnerability Scanning CSC–03 SA–04 Acquisition Process CSC–03 SC–15 Collaborative Computing Devices CSC–03 SC–34 Non–Modifiable Executable Programs CSC–03 SI–02 Flaw Remediation CSC–03 SI–04 Information System Monitoring CSC–04 Continuous Vulnerability Assessment and Remediation CSC–04 CA–02 Security Assessments Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 1 of 69

Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–04 CA–07 Continuous Monitoring CSC–04 RA–05 Vulnerability Scanning CSC–04 SC–34 Non–Modifiable Executable Programs CSC–04 SI–04 Information System Monitoring CSC–04 SI–07 Software, Firmware, and Information Integrity CSC–05 Malware Defenses CSC–05 CA–07 Continuous Monitoring CSC–05 SC–39 Process Isolation CSC–05 SC–44 Detonation Chambers CSC–05 SI–03 Malicious Code Protection CSC–05 SI–04 Information System Monitoring CSC–05 SI–08 Spam Protection CSC–06 Application Software Security CSC–06 RA–05 Vulnerability Scanning CSC–06 SA–03 System Development Life Cycle CSC–06 SA–10 Developer Configuration Management CSC–06 SA–11 Developer Security Testing and Evaluation CSC–06 SA–13 Trustworthiness CSC–06 SA–15 Development Process, Standards, and Tools CSC–06 SA–16 Developer–Provided Training CSC–06 SA–17 Developer Security Architecture and Design CSC–06 SA–20 Customized Development of Critical Components CSC–06 SA–21 Developer Screening CSC–06 SC–39 Process Isolation CSC–06 SI–10 Information Input Validation CSC–06 SI–11 Error Handling CSC–06 SI–15 Information Output Filtering CSC–06 SI–16 Memory Protection CSC–07 Wireless Device Control CSC–07 AC–18 Wireless Access CSC–07 AC–19 Access Control for Mobile Devices CSC–07 CA–03 System Interconnections CSC–07 CA–07 Continuous Monitoring CSC–07 CM–02 Baseline Configuration CSC–07 IA–03 Device Identification and Authentication CSC–07 SC–08 Transmission Confidentiality and Integrity CSC–07 SC–17 Public Key Infrastructure Certificates CSC–07 SC–40 Wireless Link Protection Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 2 of 69

Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–07 SI–04 Information System Monitoring CSC–08 Data Recovery Capability CSC–08 CP–09 Information System Backup CSC–08 CP–10 Information System Recovery and Reconstitution CSC–08 MP–04 Media Storage CSC–09 Security Skills Assessment and Appropriate Training to Fill Gaps CSC–09 AT–01 Security Awareness and Training Policy and Procedures CSC–09 AT–02 Security Awareness Training CSC–09 AT–03 Role–Based Security Training CSC–09 AT–04 Security Training Records CSC–09 SA–11 Developer Security Testing and Evaluation CSC–09 SA–16 Developer–Provided Training CSC–09 PM–13 Information Security Workforce CSC–09 PM–14 Testing, Training, & Monitoring CSC–09 PM–16 Threat Awareness Program CSC–10 Secure Configurations for Network Infrastructure & Security Devices CSC–10 AC–04 Information Flow Enforcement CSC–10 CA–03 System Interconnections CSC–10 CA–07 Continuous Monitoring CSC–10 CA–09 Internal System Connections CSC–10 CM–02 Baseline Configuration CSC–10 CM–03 Configuration Change Control CSC–10 CM–05 Access Restrictions for Change CSC–10 CM–06 Configuration Settings CSC–10 CM–08 Information System Component Inventory CSC–10 MA–04 Nonlocal Maintenance CSC–10 SC–24 Fail in Known State CSC–10 SI–04 Information System Monitoring CSC–11 Ports, Protocols, and Services Management CSC–11 AC–04 Information Flow Enforcement CSC–11 CA–07 Continuous Monitoring CSC–11 CA–09 Internal System Connections CSC–11 CM–02 Baseline Configuration CSC–11 CM–06 Configuration Settings CSC–11 CM–08 Information System Component Inventory CSC–11 SC–20 Secure Name /Address Resolution Service (Authoritative Source) CSC–11 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) CSC–11 SC–22 Architecture and Provisioning for Name/Address Resolution Service Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 3 of 69

Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–11 SC–41 Port and I/O Device Access CSC–11 SI–04 Information System Monitoring CSC–12 Controlled Use of Administrative Privileges CSC–12 AC–02 Account Management CSC–12 AC–06 Least Privilege CSC–12 AC–17 Remote Access CSC–12 AC–19 Access Control for Mobile Devices CSC–12 CA–07 Continuous Monitoring CSC–12 IA–02 Identification and Authentication (Organizational Users) CSC–12 IA–04 Identifier Management CSC–12 IA–05 Authenticator Management CSC–12 SI–04 Information System Monitoring CSC–13 Boundary Defense CSC–13 AC–04 Information Flow Enforcement CSC–13 AC–17 Remote Access CSC–13 AC–20 Use of External Information Systems CSC–13 CA–03 System Interconnections CSC–13 CA–07 Continuous Monitoring CSC–13 CA–09 Internal System Connections CSC–13 CM–02 Baseline Configuration CSC–13 SA–09 External Information System Services CSC–13 SC–07 Boundary Protection CSC–13 SC–08 Transmission Confidentiality and Integrity CSC–13 SI–04 Information System Monitoring CSC–14 Maintenance, Monitoring and Analysis of Audit Logs CSC–14 AC–23 Data Mining Protection CSC–14 AU–02 Audit Events CSC–14 AU–03 Content of Audit Records CSC–14 AU–04 Audit Storage Capacity CSC–14 AU–05 Response to Audit Processing Failures CSC–14 AU–06 Audit Review, Analysis, and Reporting CSC–14 AU–07 Audit Reduction and Report Generation CSC–14 AU–08 Time Stamps CSC–14 AU–09 Protection of Audit Information CSC–14 AU–10 Non–repudiation CSC–14 AU–11 Audit Record Retention CSC–14 AU–12 Audit Generation CSC–14 AU–13 Monitoring for Information Disclosure Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 4 of 69

Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 CSC–14 AU–14 Session Audit CSC–14 CA–07 Continuous Monitoring CSC–14 IA–10 Adaptive Identification and Authentication CSC–14 SI–04 Information System Monitoring CSC–15 Controlled Access Based on the Need to Know CSC–15 AC–01 Access Control Policy and Procedures CSC–15 AC–02 Account Management CSC–15 AC–03 Access Enforcement CSC–15 AC–06 Least Privilege CSC–15 AC–24 Access Control Decisions CSC–15 CA–07 Continuous Monitoring CSC–15 MP–03 Media Marking CSC–15 RA–02 Security Categorization CSC–15 SC–16 Transmission of Security Attributes CSC–15 SI–04 Information System Monitoring CSC–16 Account Monitoring and Control CSC–16 AC–02 Account Management CSC–16 AC–03 Access Enforcement CSC–16 AC–07 Unsuccessful Logon Attempts CSC–16 AC–11 Session Lock CSC–16 AC–12 Session Termination CSC–16 CA–07 Continuous Monitoring CSC–16 IA–05 Authenticator Management CSC–16 IA–10 Adaptive Identification and Authentication CSC–16 SC–17 Public Key Infrastructure Certificates CSC–16 SC–23 Session Authenticity CSC–16 SI–04 Information System Monitoring CSC–17 Data Loss Prevention CSC–17 AC–03 Access Enforcement CSC–17 AC–04 Information Flow Enforcement CSC–17 AC–23 Data Mining Protection CSC–17 CA–07 Continuous Monitoring CSC–17 CA–09 Internal System Connections CSC–17 IR–09 Information Spillage Response CSC–17 MP–05 Media Transport CSC–17 SA–18 Tamper Resistance and Detection CSC–17 SC–08 Transmission Confidentiality and Integrity CSC–17 SC–28 http://www.counciloncybersecurity.org Protection of Information at Rest Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 5 of 69

Map the Critical Security Controls v4.1 to NIST SP 800‐53 Rev. 4 http://www.counciloncybersecurity.org CSC–17 SC–31 Covert Channel Analysis CSC–17 SC–41 Port and I/O Device Access CSC–17 SI–04 Information System Monitoring CSC–18 Incident Response and Management CSC–18 IR–01 Incident Response Policy and Procedures CSC–18 IR–02 Incident Response Training CSC–18 IR–03 Incident Response Testing CSC–18 IR–04 Incident Handling CSC–18 IR–05 Incident Monitoring CSC–18 IR–06 Incident Reporting CSC–18 IR–07 Incident Response Assistance CSC–18 IR–08 Incident Response Plan CSC–18 IR–10 Integrated Information Security Analysis Team CSC–19 Secure Network Engineering CSC–19 AC–04 Information Flow Enforcement CSC–19 CA–03 System Interconnections CSC–19 CA–09 Internal System Connections CSC–19 SA–08 Security Engineering Principles CSC–19 SC–20 Secure Name /Address Resolution Service (Authoritative Source) CSC–19 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) CSC–19 SC–22 Architecture and Provisioning for Name/Address Resolution Service CSC–19 SC–32 Information System Partitioning CSC–19 SC–37 Out–of–Band Channels CSC–20 Penetration Tests and Red Team Exercises CSC–20 PM–16 Threat Awareness Program CSC–20 CA–02 Security Assessments CSC–20 CA–05 Plan of Action and Milestones CSC–20 CA–06 Security Authorization CSC–20 CA–08 Penetration Testing CSC–20 RA–06 Technical Surveillance Countermeasures Survey CSC–20 SI–06 Security Function Verification CSC–20 PM–06 Information Security Measures of Performance CSC–20 PM–14 Testing, Training, & Monitoring Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 6 of 69

Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X Secure Configurations for Network Infrastructure & Security Devices PRI 01 02 03 04 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 19 CSC–20 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 1 CSC–01 CA–07 Continuous Monitoring P3 X S S 2 CSC–01 CM–08 Information System Component Inventory P1 X S S 3 CSC–01 IA–03 Device Identification and Authentication P1 X 4 CSC–01 SA–04 Acquisition Process P1 X 5 CSC–01 SC–17 Public Key Infrastructure Certificates P1 X 6 CSC–01 SI–04 Information System Monitoring P1 X 7 CSC–01 PM–05 Information System Inventory P1 X S 8 CSC–02 CA–07 Continuous Monitoring P3 S 9 CSC–02 CM–02 Baseline Configuration P1 10 CSC–02 CM–08 Information System Component Inventory P1 11 CSC–02 CM–10 Software Usage Restrictions P2 X 12 CSC–02 CM–11 User–Installed Software P1 X S 2 13 CSC–02 SA–04 Acquisition Process P1 X S 3 14 CSC–02 SC–18 Mobile Code P2 X 15 CSC–02 SC–34 Non–Modifiable Executable Programs P0 X S S 16 CSC–02 SI–04 Information System Monitoring P1 S X S S S S S S S S S S S S 14 17 CSC–02 PM–05 Information System Inventory P1 S X 18 CSC–03 CA–07 Continuous Monitoring P3 S S X S S S S S S S S S S S 14 19 CSC–03 CM–02 Baseline Configuration P1 S S 20 CSC–03 CM–03 Configuration Change Control P1 X S 21 CSC–03 CM–05 Access Restrictions for Change P1 X S 22 CSC–03 CM–06 Configuration Settings P1 X S S 3 23 CSC–03 CM–07 Least Functionality P1 X 24 CSC–03 CM–08 Information System Component Inventory P1 S S 5 25 CSC–03 CM–09 Configuration Management Plan P1 26 CSC–03 CM–11 User–Installed Software P1 27 CSC–03 MA–04 Nonlocal Maintenance P1 X 28 CSC–03 RA–05 Vulnerability Scanning P1 X 29 CSC–03 SA–04 Acquisition Process P1 30 CSC–03 SC–15 Collaborative Computing Devices P1 31 CSC–03 SC–34 Non–Modifiable Executable Programs P0 32 CSC–03 SI–02 Flaw Remediation P1 33 CSC–03 SI–04 Information System Monitoring P1 34 CSC–04 CA–02 Security Assessments P2 35 CSC–04 CA–07 Continuous Monitoring P3 36 CSC–04 RA–05 Vulnerability Scanning P1 37 CSC–04 SC–34 Non–Modifiable Executable Programs P0 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S S S S S S S S S S S S S 14 5 S S 2 S 3 S 3 S S S S S S S S S S S S S 14 X S S S S S S S S S S S S 14 X S S S S S S S X S S S S S S 2 S 6 5 1 1 3 2 X S S 6 2 2 1 X X S S S 1 X 2 S S 2 S 3 X 3 X S X 1 S 3 X 1 S S X S S S S X S X S X S S S S S S S S S S S S S S S S S S S S X S Page 7 of 69 14 S S 2 14 3 3

Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X Secure Configurations for Network Infrastructure & Security Devices PRI 01 02 03 04 05 ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 38 CSC–04 SI–04 Information System Monitoring P1 39 CSC–04 SI–07 Software, Firmware, and Information Integrity P1 40 CSC–05 CA–07 Continuous Monitoring P3 41 CSC–05 SC–39 Process Isolation P1 X 42 CSC–05 SC–44 Detonation Chambers P0 CSC–05 SI–03 Malicious Code Protection P1 CSC–05 SI–04 Information System Monitoring P1 45 CSC–05 SI–08 Spam Protection P2 46 CSC–06 RA–05 Vulnerability Scanning P1 47 CSC–06 SA–03 System Development Life Cycle 48 CSC–06 SA–10 Developer Configuration Management 49 CSC–06 SA–11 50 CSC–06 51 CSC–06 52 08 09 10 11 12 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 X 44 07 CSC X 43 06 01 S S S X S S S S S S S S CNT S S S S S S S S S 14 X S S S S S S S S S 14 X S 20 S 1 S S 2 1 1 X S S S S S S S S S 14 X 1 X 3 P1 X 1 P1 X Developer Security Testing and Evaluation P1 X SA–13 Trustworthiness P0 X SA–15 Development Process, Standards, and Tools P2 X CSC–06 SA–16 Developer–Provided Training P2 X 53 CSC–06 SA–17 Developer Security Architecture and Design P1 X 1 54 CSC–06 SA–20 Customized Development of Critical Components P0 X 1 55 CSC–06 SA–21 Developer Screening P0 X 1 56 CSC–06 SC–39 Process Isolation P1 X 2 57 CSC–06 SI–10 Information Input Validation P1 X 1 58 CSC–06 SI–11 Error Handling P2 X 1 59 CSC–06 SI–15 Information Output Filtering P0 X 1 60 CSC–06 SI–16 Memory Protection P1 X 61 CSC–07 AC–18 Wireless Access P1 X 62 CSC–07 AC–19 Access Control for Mobile Devices P1 X 63 CSC–07 CA–03 System Interconnections P1 64 CSC–07 CA–07 Continuous Monitoring P3 65 CSC–07 CM–02 Baseline Configuration P1 66 CSC–07 IA–03 Device Identification and Authentication P1 67 CSC–07 SC–08 Transmission Confidentiality and Integrity P1 68 CSC–07 SC–17 Public Key Infrastructure Certificates P1 69 CSC–07 SC–40 Wireless Link Protection P0 70 CSC–07 SI–04 Information System Monitoring P1 71 CSC–08 CP–09 Information System Backup P1 X 1 72 CSC–08 CP–10 Information System Recovery and Reconstitution P1 X 1 73 CSC–08 MP–04 Media Storage P1 X 1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S 1 S 2 1 1 S 2 1 1 S X S S S S S S S S X S S X S S S 2 S S S S S S S S S 6 X 2 X S S S X S S S Page 8 of 69 S S 3 3 X S 4 14 1 X S S S S S S S S 14

Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X 02 04 Secure Configurations for Network Infrastructure & Security Devices PRI 01 03 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 74 CSC–09 AT–01 Security Awareness and Training Policy and Procedures P1 X 1 75 CSC–09 AT–02 Security Awareness Training P1 X 1 76 CSC–09 AT–03 Role–Based Security Training P1 X 1 77 CSC–09 AT–04 Security Training Records P3 X 1 78 CSC–09 SA–11 Developer Security Testing and Evaluation P1 S X 2 79 CSC–09 SA–16 Developer–Provided Training P2 S X 2 80 CSC–09 PM–13 Information Security Workforce P1 X 81 CSC–09 PM–14 Testing, Training, & Monitoring P1 X 82 CSC–09 PM–16 Threat Awareness Program P1 X 83 CSC–10 AC–04 Information Flow Enforcement P1 84 CSC–10 CA–03 System Interconnections P1 85 CSC–10 CA–07 Continuous Monitoring P3 86 CSC–10 CA–09 Internal System Connections P2 87 CSC–10 CM–02 Baseline Configuration P1 88 CSC–10 CM–03 Configuration Change Control P1 S X 89 CSC–10 CM–05 Access Restrictions for Change P1 S X 90 CSC–10 CM–06 Configuration Settings P1 S X S 91 CSC–10 CM–08 Information System Component Inventory P1 S X S 92 CSC–10 MA–04 Nonlocal Maintenance P1 S X 93 CSC–10 SC–24 Fail in Known State P1 94 CSC–10 SI–04 Information System Monitoring P1 95 CSC–11 AC–04 Information Flow Enforcement P1 96 CSC–11 CA–07 Continuous Monitoring P3 97 CSC–11 CA–09 Internal System Connections P2 98 CSC–11 CM–02 Baseline Configuration P1 99 CSC–11 CM–06 Configuration Settings P1 100 CSC–11 CM–08 Information System Component Inventory P1 101 CSC–11 SC–20 Secure Name /Address Resolution Service (Authoritative Source) P1 X S CSC–11 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) P1 X S 103 CSC–11 SC–22 Architecture and Provisioning for Name/Address Resolution Service P1 X S 104 CSC–11 SC–41 Port and I/O Device Access P0 X 105 CSC–11 SI–04 Information System Monitoring P1 106 CSC–12 AC–02 Account Management P1 107 CSC–12 AC–06 Least Privilege P1 108 CSC–12 AC–17 Remote Access P1 X 109 CSC–12 AC–19 Access Control for Mobile Devices P1 102 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 1 S 1 X S S S S S S S S S S S X S X S X S S S S S X S S S S S S S S S S S S S S S S S S S S S S S S S S 3 5 2 1 S X S X X S S X S S S S S S S X S S X S S S S S S S S S S S S S S S S 14 S S S 5 14 S 5 6 3 5 2 2 2 S S S S S X Page 9 of 69 X S X S S 5 6 2 S S 4 2 X S 5 14 X S 2 S S X S S S 2 S 14 3 2 2 2

Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X Secure Configurations for Network Infrastructure & Security Devices PRI 01 02 03 04 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 110 CSC–12 CA–07 Continuous Monitoring P3 111 CSC–12 IA–02 Identification and Authentication (Organizational Users) P1 X 112 CSC–12 IA–04 Identifier Management P1 X 113 CSC–12 IA–05 Authenticator Management P1 X 114 CSC–12 SI–04 Information System Monitoring P1 115 CSC–13 AC–04 Information Flow Enforcement P1 116 CSC–13 AC–17 Remote Access P1 117 CSC–13 AC–20 Use of External Information Systems P1 118 CSC–13 CA–03 System Interconnections P1 119 CSC–13 CA–07 Continuous Monitoring P3 120 CSC–13 CA–09 Internal System Connections P2 121 CSC–13 CM–02 Baseline Configuration P1 122 CSC–13 SA–09 External Information System Services 123 CSC–13 SC–07 Boundary Protection 124 CSC–13 SC–08 Transmission Confidentiality and Integrity P1 125 CSC–13 SI–04 Information System Monitoring P1 126 CSC–14 AC–23 Data Mining Protection P0 X 127 CSC–14 AU–02 Audit Events P1 X 1 128 CSC–14 AU–03 Content of Audit Records P1 X 1 129 CSC–14 AU–04 Audit Storage Capacity P1 X 1 130 CSC–14 AU–05 Response to Audit Processing Failures P1 X 1 131 CSC–14 AU–06 Audit Review, Analysis, and Reporting P1 X 1 132 CSC–14 AU–07 Audit Reduction and Report Generation P2 X 1 133 CSC–14 AU–08 Time Stamps P1 X 1 134 CSC–14 AU–09 Protection of Audit Information P1 X 1 135 CSC–14 AU–10 Non–repudiation P1 X 1 136 CSC–14 AU–11 Audit Record Retention P3 X 1 137 CSC–14 AU–12 Audit Generation P1 X 1 138 CSC–14 AU–13 Monitoring for Information Disclosure P0 X 1 139 CSC–14 AU–14 Session Audit P0 X 140 CSC–14 CA–07 Continuous Monitoring P3 141 CSC–14 IA–10 Adaptive Identification and Authentication P0 142 CSC–14 SI–04 Information System Monitoring P1 143 CSC–15 AC–01 Access Control Policy and Procedures P1 144 CSC–15 AC–02 Account Management P1 145 CSC–15 AC–03 Access Enforcement P1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S S S S S S S S S S S S S S S S S X S X S S S S 14 1 1 S S S S S X S S 2 S S 14 S X X S S S S S S X S S X 6 P1 X 1 P1 X S S S S S S S X S S S S S S X S S S S S S S S S S S S S S S S S S S S S X X S S 14 S S 3 2 1 S S S 14 S 14 S S S 2 X 1 X S X Page 10 of 69 5 S X S 14 S 1 X S S 4 S S S S S S S 1 X S S S S 5 2 S 3 S 3

Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X 02 04 Secure Configurations for Network Infrastructure & Security Devices PRI 01 03 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 16 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 146 CSC–15 AC–06 Least Privilege P1 147 CSC–15 AC–24 Access Control Decisions P0 148 CSC–15 CA–07 Continuous Monitoring P3 149 CSC–15 MP–03 Media Marking P2 X 1 150 CSC–15 RA–02 Security Categorization P1 X 1 151 CSC–15 SC–16 Transmission of Security Attributes P0 X 152 CSC–15 SI–04 Information System Monitoring P1 153 CSC–16 AC–02 Account Management P1 154 CSC–16 AC–03 Access Enforcement P1 155 CSC–16 AC–07 Unsuccessful Logon Attempts P2 X 1 156 CSC–16 AC–11 Session Lock P3 X 1 157 CSC–16 AC–12 Session Termination P2 X 158 CSC–16 CA–07 Continuous Monitoring P3 159 CSC–16 IA–05 Authenticator Management P1 160 CSC–16 IA–10 Adaptive Identification and Authentication P0 161 CSC–16 SC–17 Public Key Infrastructure Certificates P1 162 CSC–16 SC–23 Session Authenticity P1 163 CSC–16 SI–04 Information System Monitoring P1 164 CSC–17 AC–03 Access Enforcement P1 165 CSC–17 AC–04 Information Flow Enforcement P1 166 CSC–17 AC–23 Data Mining Protection P0 167 CSC–17 CA–07 Continuous Monitoring P3 168 CSC–17 CA–09 Internal System Connections P2 169 CSC–17 IR–09 Information Spillage Response P0 X 1 170 CSC–17 MP–05 Media Transport P1 X 1 171 CSC–17 SA–18 Tamper Resistance and Detection P0 X 1 172 CSC–17 SC–08 Transmission Confidentiality and Integrity P1 X 3 173 CSC–17 SC–28 Protection of Information at Rest P1 X 1 174 CSC–17 SC–31 Covert Channel Analysis P0 X 1 175 CSC–17 SC–41 Port and I/O Device Access P0 X 2 176 CSC–17 SI–04 Information System Monitoring P1 177 CSC–18 IR–01 Incident Response Policy and Procedures P1 X 1 178 CSC–18 IR–02 Incident Response Training P2 X 1 179 CSC–18 IR–03 Incident Response Testing P2 X 1 180 CSC–18 IR–04 Incident Handling P1 X 1 181 CSC–18 IR–05 Incident Monitoring P1 X 1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S X 2 X S S S S S S S S S S S S S S S S S S S S S S S X X 1 S S S S S S S S S S S S S 14 X X S S X 3 S 3 1 S 14 X 2 X S 2 X S S 14 1 S S S S 3 X S S S S S S S S S S S S S 1 S X S S S X S S S S S S S S S S S S S S S S S S Page 11 of 69 S S S S S S S S S S 5 2 X 14 X S S S X S S 3 X S S 14 S X 5 14

Print Date: 3/1/2014, 12:02 PM CNT: 203 7 10 16 6 6 15 10 3 9 Bl CSC Inventory of Authorized & Unauthorized Devices CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 12 # Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 Inventory of Authorized and Unauthorized Software MAP_CSCv4.1_to_800‐53r4_SORTCSC 11 9 11 17 10 11 13 9 9 Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Ports, Protocols, and Services Management CSC Controlled Use of Administrative Privileges CSC–01 X CSC–06 X CSC–11 X Boundary Defense CSC CSC CSC Maintenance, Monitoring & Analysis of Audit Logs CSC–02 X CSC–07 X CSC–12 X Controlled Access Based on the Need to Know CSC CSC CSC Account Monitoring and Control CSC–03 X CSC–08 X CSC–13 X Data Loss Prevention CSC CSC CSC Incident Response and Management CSC–04 X CSC–09 X CSC–14 X Secure Network Engineering CSC CSC CSC 9 Secure Configurations for Mobile Devices, Workstations, Servers CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Penetration Tests and Red Team Exercises CSC–05 X 02 04 Secure Configurations for Network Infrastructure & Security Devices PRI 01 03 05 06 07 08 09 10 11 12 01 CSC 02 03 04 05 06 CSC 07 08 09 10 CSC–10 X 13 14 15 16 11 CSC CSC–16 12 CSC CSC–17 13 CSC CSC–18 14 CSC CSC–19 15 CSC CSC–15 X 17 18 CSC–20 19 20 CNT ID–CN NIST_SP_800-53_REV_4_CONTROL_NAME 182 CSC–18 IR–06 Incident Reporting P1 X 1 183 CSC–18 IR–07 Incident Response Assistance P3 X 1 184 CSC–18 IR–08 Incident Response Plan P1 X 1 185 CSC–18 IR–10 Integrated Information Security Analysis Team P0 X 186 CSC–19 AC–04 Information Flow Enforcement P1 187 CSC–19 CA–03 System Interconnections P1 188 CSC–19 CA–09 Internal System Connections P2 189 CSC–19 SA–08 Security Engineering Principles P1 190 CSC–19 SC–20 Secure Name /Address Resolution Service (Authoritative Source) P1 CSC–19 SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) 192 CSC–19 SC–22 193 CSC–19 194 S S S S S S S S S 5 X S S 1 X 4 X 5 X 1 S X 2 P1 S X Architecture and Provisioning for Name/Address Resolution Service P1 S X 2 SC–32 Information System Partitioning P0 X 1 CSC–19 SC–37 Out–of–Band Channels P0 X 195 CSC–20 PM–16 Threat Awareness Program P1 196 CSC–20 CA–02 Security Assessments P2 197 CSC–20 CA–05 Plan of Action and Milestones P3 198 CSC–20 CA–06 Security Authorization 199 CSC–20 CA–08 200 CSC–20 201 191 1 x 2 X 2 X 1 P3 X 1 Penetration Testing P1 X 1 RA–06 Technical Surveillance Countermeasures Survey P0 X 1 CSC–20 SI–06 Security Function Verification P1 X 1 202 CSC–20 PM–06 Information Security Measures of Performance P1 X 1 203 CSC–20 PM–14 Testing, Training, & Monitoring P1 X 2 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx S 2 S S Page 12 of 69

Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 FAMILY ID–CN CONTROL NAME Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI Occurences MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 01 02 7 03 10 16 04 05 6 Access Control 06 6 15 07 08 10 09 3 10 9 11 12 13 Ports, Protocols, and Services Management Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 14 15 16 17 18 11 9 11 17 10 11 13 1 2 12 1 4 3 1 5 5 3 19 9 20 9 CNT 9 203 1 26 X 1 3 3 5 AC AC–01 Access Control Policy and Procedures P1 X AC AC–02 Account Management P1 AC AC–03 Access Enforcement P1 AC AC–04 Information Flow Enforcement P1 AC AC–05 Separation of Duties P1 AC AC–06 Least Privilege P1 AC AC–07 Unsuccessful Logon Attempts P2 AC AC–08 System Use Notification P1 AC AC–09 Previous Logon (Access) Notification P0 AC AC–10 Concurrent Session Control P2 AC AC–11 Session Lock P3 X 1 AC AC–12 Session Termination P2 X 1 AC AC–13 Withdrawn AC AC–14 Permitted Actions without Identification or Authentication AC AC–15 Withdrawn AC AC–16 Security Attributes P0 AC AC–17 Remote Access P1 AC AC–18 Wireless Access P1 X AC AC–19 Access Control for Mobile Devices P1 X AC AC–20 Use of External Information Systems P1 AC AC–21 Information Sharing P2 AC AC–22 Publicly Accessible Content P2 AC AC–23 Data Mining Protection P0 AC AC–24 Access Control Decisions P0 AC AC–25 Reference Monitor P0 X X X X X X X X X X X 2 1 X X ––– P1 ––– X X 2 1 X 2 X 1 X X X Awareness and Training 2 1 4 4 AT AT–01 Security Awareness and Training Policy and Procedures P1 X 1 AT AT–02 Security Awareness Training P1 X 1 AT AT–03 Role–Based Security Training P1 X 1 AT AT–04 Security Training Records P3 X 1 AT AT–05 Withdrawn ––– Audit & Accountability 13 13 P1 X 1 P1 X 1 Audit Storage Capacity P1 X 1 AU–05 Response to Audit Processing Failures P1 X 1 AU AU–06 Audit Review, Analysis, and Reporting P1 X 1 AU AU–07 Audit Reduction and Report Generation P2 X 1 AU AU–01 Audit and Accountability Policy and Procedures P1 AU AU–02 Audit Events AU AU–03 Content of Audit Records AU AU–04 AU Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx Page 13 of 69

Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 02 08 09 10 11 Penetration Tests and Red Team Exercises X 1 AU AU–09 Protection of Audit Information P1 X 1 AU AU–10 Non–repudiation P1 X 1 AU AU–11 Audit Record Retention P3 X 1 AU AU–12 Audit Generation P1 X 1 AU AU–13 Monitoring for Information Disclosure P0 X 1 AU AU–14 Session Audit P0 X 1 AU AU–15 Alternate Audit Capability P0 AU AU–16 Cross–Organizational Auditing P0 3 X 2 13 Secure Network Engineering P1 2 12 Incident Response and Management CONTROL NAME 1 07 Data Loss Prevention Time Stamps 2 06 Account Monitoring and Control ID–CN 1 05 Controlled Access Based on the Need to Know AU–08 1 04 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs FAMILY 1 03 Controlled Use of Administrative Privileges AU Security Assessment and Authorization 01 Ports, Protocols, and Services Management 1 X 14 3 15 1 16 1 17 1 18 2 19 20 2 CNT 4 CA CA–01 Security Assessment and Authorization Policies and Procedures CA CA–02 Security Assessments P2 CA CA–03 System Interconnections P1 CA CA–04 Withdrawn CA CA–05 Plan of Action and Milestones P3 X CA CA–06 Security Authorization P3 X CA CA–07 Continuous Monitoring P3 CA CA–08 Penetration Testing P1 CA CA–09 Internal System Connections P2 28 P1 X X X X 2 4 ––– Configuration Management X X X X X X X X X X X X X X X X X 1 1 14 X X 1 X 1 5 4 8 1 5 3 1 23 X X X X X X 6 CM CM–01 Configuration Management Policy and Procedures P1 CM CM–02 Baseline Configuration P1 CM CM–03 Configuration Change Control P1 CM CM–04 Security Impact Analysis P2 CM CM–05 Access Restrictions for Change CM CM–06 Configuration Settings CM CM–07 Least Functionality P1 X CM CM–08 Information System Component Inventory P1 CM CM–09 Configuration Management Plan P1 CM CM–10 Software Usage Restrictions P2 X CM CM–11 User–Installed Software P1 X X X P1 X X P1 X X X 3 X X 5 X X X 1 X 2 1 2 CP–01 Contingency Planning Policy and Procedures P1 CP CP–02 Contingency Plan P1 CP CP–03 Contingency Training P2 CP CP–04 Contingency Plan Testing CP CP–05 Withdrawn CP CP–06 Alternate Storage Site Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 2 1 X Contingency Planning CP 2 P2 ––– P1 Page 14 of 69 2

Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 06 07 08 11 13 Penetration Tests and Red Team Exercises CP CP–08 Telecommunications Services P1 CP CP–09 Information System Backup P1 X 1 CP CP–10 Information System Recovery and Reconstitution P1 X 1 CP CP–11 Alternate Communications Protocols P0 CP CP–12 Safe Mode P0 CP CP–13 Alternative Security Mechanisms P0 1 12 Secure Network Engineering P1 X 10 Incident Response and Management CONTROL NAME 1 09 Data Loss Prevention Alternate Processing Site IA 05 Account Monitoring and Control ID–CN IA 04 Controlled Access Based on the Need to Know CP–07 IA–01 03 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs FAMILY IA 02 Controlled Use of Administrative Privileges CP Identification and Authentication 01 Ports, Protocols, and Services Management 3 14 15 16 18 19 X Identification and Authentication Policy and Procedures Identification and Authentication (Organizational Users) P1 IA–03 Device Identification and Authentication P1 IA IA–04 Identifier Management P1 IA–05 Authenticator Management P1 X IA IA–06 Authenticator Feedback P1 IA IA–07 Cryptographic Module Authentication P1 IA IA–08 Identification and Authentication (Non– Organizational Users) P1 IA IA–09 Service Identification and Authentication P0 IA IA–10 Adaptive Identification and Authentication P0 IA IA–11 Re–authentication CNT 8 X IA 2 20 P1 IA–02 1 17 P0 X 1 2 1 X X X Incident Response 2 2 9 10 IR IR–01 Incident Response Policy and Procedures P1 1 X 1 IR IR–02 Incident Response Training P2 X 1 IR IR–03 Incident Response Testing P2 X 1 IR IR–04 Incident Handling P1 X 1 IR IR–05 Incident Monitoring P1 X 1 IR IR–06 Incident Reporting P1 X 1 IR IR–07 Incident Response Assistance P3 X 1 IR IR–08 Incident Response Plan P1 X 1 IR IR–09 Information Spillage Response P0 IR IR–10 Integrated Information Security Analysis Team P0 Maintenance X 1 X 1 1 MA MA–01 System Maintenance Policy and Procedures MA–02 Controlled Maintenance MA–03 Maintenance Tools MA–04 Nonlocal Maintenance P1 MA MA–05 Maintenance Personnel MA–06 Timely Maintenance 2 P1 MA X P2 MA X P2 MA 2 P1 MA 1 P2 Media Protection Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 1 Page 15 of 69 1 1 3

Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 FAMILY ID–CN CONTROL NAME MP MP–01 Media Protection Policy and Procedures PRI MP–02 Media Access MP–03 Media Marking MP–04 Media Storage MP–05 Media Transport MP–06 Media Sanitization MP–07 Media Use MP–08 Media Downgrading Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices P1 MP Application Software Security P1 MP Malware Defenses P1 MP Continuous Vulnerability Assessment and Remediation P1 MP Secure Configurations for Mobile Devices, Workstations, Servers P2 MP Inventory of Authorized and Unauthorized Software 01 02 03 04 P0 PE–01 Physical and Environmental Protection Policy and Procedures PE PE–02 Physical Access Authorizations PE–03 Physical Access Control PE–04 Access Control for Transmission Medium P1 PE PE–05 Access Control for Output Devices P2 PE PE–06 Monitoring Physical Access P1 PE PE–07 Withdrawn PE PE–08 Visitor Access Records PE PE–09 Power Equipment and Cabling P1 PE PE–10 Emergency Shutoff P1 PE PE–11 Emergency Power P1 PE PE–12 Emergency Lighting P1 PE PE–13 Fire Protection P1 PE PE–14 Temperature and Humidity Controls P1 PE PE–15 Water Damage Protection P1 PE PE–16 Delivery and Removal P2 PE PE–17 Alternate Work Site P2 PE PE–18 Location of Information System Components P3 PE PE–19 Information Leakage P0 PE PE–20 Asset Monitoring and Tracking P0 PL PL–01 Security Planning Policy and Procedures P1 PL PL–02 System Security Plan P1 PL PL–03 Withdrawn PL PL–04 Rules of Behavior PL PL–05 Withdrawn ––– PL PL–06 Withdrawn ––– PL PL–07 Security Concept of Operations P0 PL PL–08 Information Security Architecture P1 P1 ––– P3 Planning Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx 08 09 10 11 12 13 Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 14 15 16 17 ––– P2 Page 16 of 69 18 19 20 CNT 1 1 X P1 PE 07 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs X P1 PE 06 Controlled Use of Administrative Privileges X Physical and Environmental Protection PE 05 Ports, Protocols, and Services Management P1 MP CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 P1 MP MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 1

Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 FAMILY ID–CN CONTROL NAME PL PL–09 Central Management Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 01 02 03 04 05 06 07 08 09 10 11 12 13 Ports, Protocols, and Services Management Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises 14 15 16 17 18 19 20 CNT P0 Personnel Security PS PS–01 Personnel Security Policy and Procedures P1 PS PS–02 Position Risk Designation P1 PS PS–03 Personnel Screening P1 PS PS–04 Personnel Termination P1 PS PS–05 Personnel Transfer P2 PS PS–06 Access Agreements P3 PS PS–07 Third–Party Personnel Security P1 PS PS–08 Personnel Sanctions P3 P1 Risk Assessment 1 RA RA–01 Risk Assessment Policy and Procedures RA RA–02 Security Categorization RA–03 Risk Assessment RA–04 Withdrawn RA RA–05 Vulnerability Scanning P1 RA RA–06 Technical Surveillance Countermeasures Survey 1 1 P0 5 P1 RA 1 P1 RA 1 X 1 ––– System and Services Acquisition X X X 3 X 1 1 1 X X 9 X SA SA–01 System and Services Acquisition Policy and Procedures SA–02 Allocation of Resources SA–03 System Development Life Cycle P1 SA SA–04 Acquisition Process P1 SA SA–05 Information System Documentation SA SA–06 Withdrawn SA–07 Withdrawn SA–08 Security Engineering Principles P1 SA SA–09 External Information System Services P1 SA SA–10 Developer Configuration Management P1 X SA SA–11 Developer Security Testing and Evaluation P1 X SA SA–12 Supply Chain Protection P1 SA SA–13 Trustworthiness P0 SA SA–14 Criticality Analysis P0 SA SA–15 Development Process, Standards, and Tools P2 X SA SA–16 Developer–Provided Training P2 X SA SA–17 Developer Security Architecture and Design P1 X SA SA–18 Tamper Resistance and Detection P0 SA SA–19 Component Authenticity P0 SA SA–20 Customized Development of Critical Components P0 1 17 ––– SA 1 ––– SA 1 P1 SA 1 P1 SA 2 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx X 1 3 P2 X X 1 1 X 2 X 1 1 X 2 1 X X Page 17 of 69 1 1 1

Print Date: 3/1/2014, 12:02 PM Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 FAMILY ID–CN CONTROL NAME SA SA–21 Developer Screening PRI SA–22 Unsupported System Components CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices P0 SA MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 02 03 04 05 06 07 08 09 10 11 12 13 Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises P0 System and Communications Protection 01 Ports, Protocols, and Services Management 14 15 16 17 18 19 20 X 1 2 2 1 2 1 CNT 1 3 1 4 2 1 2 4 5 SC SC–01 System and Communications Protection Policy and Procedures SC SC–02 Application Partitioning P1 SC SC–03 Security Function Isolation P1 SC SC–04 Information in Shared Resources P1 SC SC–05 Denial of Service Protection P1 SC SC–06 Resource Availability P0 SC SC–07 Boundary Protection P1 SC SC–08 Transmission Confidentiality and Integrity P1 SC SC–09 Withdrawn SC SC–10 Network Disconnect P2 SC SC–11 Trusted Path P0 SC SC–12 Cryptographic Key Establishment and Management P1 SC SC–13 Cryptographic Protection SC SC–14 Withdrawn SC SC–15 Collaborative Computing Devices P1 SC SC–16 Transmission of Security Attributes P0 SC SC–17 Public Key Infrastructure Certificates P1 SC SC–18 Mobile Code P2 SC SC–19 Voice Over Internet Protocol P1 SC SC–20 Secure Name /Address Resolution Service (Authoritative Source) P1 X X SC SC–21 Secure Name /Address Resolution Service (Recursive or Caching Resolver) P1 X X SC SC–22 Architecture and Provisioning for Name/Address Resolution Service P1 X X SC SC–23 Session Authenticity P1 SC SC–24 Fail in Known State P1 SC SC–25 Thin Nodes P0 SC SC–26 Honeypots P0 SC SC–27 Platform–Independent Applications P0 SC SC–28 Protection of Information at Rest P1 SC SC–29 Heterogeneity P0 SC SC–30 Concealment and Misdirection P0 SC SC–31 Covert Channel Analysis P0 SC SC–32 Information System Partitioning P0 SC SC–33 Withdrawn SC SC–34 Non–Modifiable Executable Programs P0 SC SC–35 Honeyclients P0 31 P1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx X X 1 X X 3 ––– P1 ––– X 1 X X X 1 X 3 X 1 X 2 2 2 1 X 1 X 1 X 1 X 1 ––– X X X Page 18 of 69 3

Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 FAMILY ID–CN CONTROL NAME SC SC–36 Distributed Processing and Storage PRI SC–37 Out–of–Band Channels SC–38 Operations Security SC–39 Process Isolation SC–40 Wireless Link Protection SC–41 Port and I/O Device Access SC–42 Sensor Capability and Data SC–43 Usage Restrictions SC–44 Detonation Chambers Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices P0 System and Information Integrity 01 02 03 04 05 06 07 08 09 10 11 12 13 Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises P0 SC Wireless Device Control Controlled Use of Administrative Privileges P0 SC Application Software Security P0 SC Malware Defenses P0 SC Continuous Vulnerability Assessment and Remediation P1 SC Secure Configurations for Mobile Devices, Workstations, Servers P0 SC Inventory of Authorized and Unauthorized Software Ports, Protocols, and Services Management P0 SC CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 P0 SC MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 14 15 16 17 18 19 20 CNT X X 1 X 2 X 1 X X 2 X 1 1 2 2 3 1 4 1 1 1 1 1 1 1 1 1 1 23 SI SI–01 System and Information Integrity Policy and Procedures P1 SI SI–02 Flaw Remediation P1 SI SI–03 Malicious Code Protection P1 SI SI–04 Information System Monitoring P1 SI SI–05 Security Alerts, Advisories, and Directives P1 SI SI–06 Security Function Verification P1 SI SI–07 Software, Firmware, and Information Integrity P1 SI SI–08 Spam Protection P2 SI SI–09 Withdrawn SI SI–10 Information Input Validation P1 X 1 SI SI–11 Error Handling P2 X 1 SI SI–12 Information Handling and Retention P2 SI SI–13 Predictable Failure Prevention P0 SI SI–14 Non–Persistence P0 SI SI–15 Information Output Filtering P0 X 1 SI SI–16 Memory Protection P1 X 1 SI SI–17 Fail–Safe Procedures P0 X 1 X X X X X 1 X X X X X X X X X X 14 X X 1 1 X 1 ––– Program Management 1 PM PM–01 Information Security Program Plan PM PM–02 Senior Information Security Officer PM–03 Information Security Resources PM–04 Plan of Action and Milestones Process PM–05 Information System Inventory P1 PM PM–06 Information Security Measures of Performance PM PM–07 Enterprise Architecture PM–08 Critical Infrastructure Plan P1 PM PM–09 Risk Management Strategy P1 PM PM–10 Security Authorization Process X P1 PM X P1 P1 8 P1 PM 3 P1 PM 3 P1 PM 1 Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx P1 2 X Page 19 of 69 1

Print Date: 3/1/2014, 12:02 PM Mapping NIST SP 800–53 Revision 4 to Critical Security Controls (CSC) v4.1 Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 CSC–08 CSC–09 CSC–10 CSC–11 CSC–12 CSC–13 CSC–14 CSC–15 CSC–16 CSC–17 CSC–18 CSC–19 CSC–20 Inventory of Authorized and Unauthorized Software Secure Configurations for Mobile Devices, Workstations, Servers Continuous Vulnerability Assessment and Remediation Malware Defenses Application Software Security Wireless Device Control Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Infrastructure & Security Devices 01 02 03 04 06 07 08 09 10 11 12 13 Controlled Use of Administrative Privileges Boundary Defense Maintenance, Monitoring and Analysis of Audit Logs Controlled Access Based on the Need to Know Account Monitoring and Control Data Loss Prevention Incident Response and Management Secure Network Engineering Penetration Tests and Red Team Exercises FAMILY ID–CN CONTROL NAME PM–11 Mission/Business Process Definition P1 PM PM–12 Isider Threat Program P1 PM PM–13 Information Security Workforce P1 X PM PM–14 Testing, Training, & Monitoring P1 X X 2 PM PM–15 Contacts with Security Groups and Associations P1 PM PM–16 Threat Awareness Program P1 X X 2 Page 20 of 69 05 Ports, Protocols, and Services Management PM Critical Security Controls v4 1 Mapped to NIST 800‐53 rev4‐Final_R6.xlsx PRI MAP_CSCv4.1_to_800‐53r4_SORT_ID Inventory of Authorized & Unauthorized Devices 14 15 16 17 18 19 20 CNT 1

CSC–01 CSC–02 CSC–03 CSC–04 CSC–05 CSC–06 CSC–07 10 AU–08 Time Stamps AU–07 Audit Reduction and Report Generation AU–06 Audit Review, Analysis, and Reporting AU–05 Response to Audit Processing Failures AU–04 Audit Storage Capacity AU–03 Content of Audit Records AU–02 Audit Events Audit & Accountability AU–01 Audit and Accountability Policy and Procedures AT–05 Withdrawn AT–04 Security Training Records AT–03 Role–Based Security Training AT–02 Security Awareness Training AT–01 Security Awareness and Training Policy and Procedures Awareness and Training AC–25 Reference Monitor AC–24 Access Control Decisions AC–23 Data Mining Protection AC–22 Publicly Accessible Content AC–21 Information Sharing AC–20 Use of External Information Systems AC–19 Access Control for Mobile Devices AC–18 Wireless Access AC–17 Remote Access AC–16 Security Attributes AC–15 Withdrawn AC–14 Permitted Actions without Identification or Authenticatio AC–13 Withdrawn AC–12 Session Termination AC–11 Session Lock AC–10 Concurrent Session Control 15 Wireless Device Control AC–09 Previous Logon (Access) Notification 6 Application Software Security AC–08 System Use Notification 6 Malware Defenses AU 16 Continuous Vulnerability Assessment and Remediation AT 10 Secure Configurations for Mobile Devices, Workstations, Servers HMAP_53r4_to_CSCv4.1_&_NIST_PUBS 7 Inventory of Authorized and Unauthorized Software AC–07 Unsuccessful Logon Attempts CSC Inventory of Authorized & Unauthorized Devices AC–06 Least Privilege Total AC AC–05 Separation of Duties Critical Security Controls ? AC–04 Information Flow Enforcement Access Control AC–01 Access Control Policy and Procedures Map NIST Special Publication (SP) 800–53 Revision 4 to Critical Security Controls (CSC) Version 4.1 and NIST 800 Series Special Publications. AC–03 Access Enforcement Mapping of Critical Security Controls (CSC) v4.1 to NIST SP 800‐53 Revision 4 AC–02 Account Management Print Date: 3/1/2014, 12:02 PM X X 2 Data Recovery Capability CSC–08 3 Security Skills Assessment and Appropriate Training to Fill Gaps CSC–09 9 Secure Configurations for Network Infrastructure & Security Devices CSC–10 12 1 X Inventory of Auth

Add a comment

Related presentations

Related pages

Applying NIST SP 800-53 to Industrial Control Systems

Applying NIST SP 800-53 to Industrial Control ... applying SP 800-53 security controls. 4 THE NIST INDUSTRIAL ... 1 Physical Security of Critical ...
Read more

Looking at the SANS 20 Critical Security Controls

Looking at the SANS 20 Critical Security Controls www.systemexperts.com 1 .888.749 ... NIST SP 800-53 controls ... Critical Security Controls maps to the ...
Read more

Summary of NIST SP 800-53 Revision 4, Security and Privacy ...

... 1 2 NIST SP 800-53 Revision 4 and the Risk Management Framework ... The security controls in SP 800-53 Rev. 4 support Step Two of the RMF, ... NIST SP ...
Read more

Critical Security Controls | LinkedIn

... Critical Security Controls v5.1 Views 11 views...with identifying and developing the Critical Security Controls, the measures widely acknowledged as ...
Read more

NIST SP 800-53 Tri-Fold Card - Documents - Docslide.us

Critical Security Controls v4 1 Mapped to NIST SP ... v4.1 to NIST SP 800-53 Rev.4-final (r6a) ... (Map Critical Security Controls v4.1 to NIST SP ...
Read more

2013 NIST Training Pt 4: SP 800-53 - Hosted by the ...

2013 NIST Training Pt 4: SP 800-53 ... Critical Security Controls for Effective Cyber Defense ... 2013 NIST Training Pt 3: SP 800-37 ...
Read more