Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
OSCAL Profiles
NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE
NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE
An OSCAL Profile
Details
Prose
370 controls organized in 18 groups
AC - Access Control
46 Controls
AC-1 - Policy and Procedures
AC-2 - Account Management
8 Subcontrols
AC-2.1 - Automated System Account Management
AC-2.2 - Automated Temporary and Emergency Account Management
AC-2.3 - Disable Accounts
AC-2.4 - Automated Audit Actions
AC-2.5 - Inactivity Logout
AC-2.11 - Usage Conditions
AC-2.12 - Account Monitoring for Atypical Usage
AC-2.13 - Disable Accounts for High-risk Individuals
AC-3 - Access Enforcement
AC-4 - Information Flow Enforcement
1 Subcontrol
AC-4.4 - Flow Control of Encrypted Information
AC-5 - Separation of Duties
AC-6 - Least Privilege
7 Subcontrols
AC-6.1 - Authorize Access to Security Functions
AC-6.2 - Non-privileged Access for Nonsecurity Functions
AC-6.3 - Network Access to Privileged Commands
AC-6.5 - Privileged Accounts
AC-6.7 - Review of User Privileges
AC-6.9 - Log Use of Privileged Functions
AC-6.10 - Prohibit Non-privileged Users from Executing Privileged Functions
AC-7 - Unsuccessful Logon Attempts
AC-8 - System Use Notification
AC-10 - Concurrent Session Control
AC-11 - Device Lock
1 Subcontrol
AC-11.1 - Pattern-hiding Displays
AC-12 - Session Termination
AC-14 - Permitted Actions Without Identification or Authentication
AC-17 - Remote Access
4 Subcontrols
AC-17.1 - Monitoring and Control
AC-17.2 - Protection of Confidentiality and Integrity Using Encryption
AC-17.3 - Managed Access Control Points
AC-17.4 - Privileged Commands and Access
AC-18 - Wireless Access
4 Subcontrols
AC-18.1 - Authentication and Encryption
AC-18.3 - Disable Wireless Networking
AC-18.4 - Restrict Configurations by Users
AC-18.5 - Antennas and Transmission Power Levels
AC-19 - Access Control for Mobile Devices
1 Subcontrol
AC-19.5 - Full Device or Container-based Encryption
AC-20 - Use of External Systems
2 Subcontrols
AC-20.1 - Limits on Authorized Use
AC-20.2 - Portable Storage Devices — Restricted Use
AC-21 - Information Sharing
AC-22 - Publicly Accessible Content
AT - Awareness and Training
6 Controls
AT-1 - Policy and Procedures
AT-2 - Literacy Training and Awareness
2 Subcontrols
AT-2.2 - Insider Threat
AT-2.3 - Social Engineering and Mining
AT-3 - Role-based Training
AT-4 - Training Records
AU - Audit and Accountability
25 Controls
AU-1 - Policy and Procedures
AU-2 - Event Logging
AU-3 - Content of Audit Records
1 Subcontrol
AU-3.1 - Additional Audit Information
AU-4 - Audit Log Storage Capacity
AU-5 - Response to Audit Logging Process Failures
2 Subcontrols
AU-5.1 - Storage Capacity Warning
AU-5.2 - Real-time Alerts
AU-6 - Audit Record Review, Analysis, and Reporting
4 Subcontrols
AU-6.1 - Automated Process Integration
AU-6.3 - Correlate Audit Record Repositories
AU-6.5 - Integrated Analysis of Audit Records
AU-6.6 - Correlation with Physical Monitoring
AU-7 - Audit Record Reduction and Report Generation
1 Subcontrol
AU-7.1 - Automatic Processing
AU-8 - Time Stamps
AU-9 - Protection of Audit Information
3 Subcontrols
AU-9.2 - Store on Separate Physical Systems or Components
AU-9.3 - Cryptographic Protection
AU-9.4 - Access by Subset of Privileged Users
AU-10 - Non-repudiation
AU-11 - Audit Record Retention
AU-12 - Audit Record Generation
2 Subcontrols
AU-12.1 - System-wide and Time-correlated Audit Trail
AU-12.3 - Changes by Authorized Individuals
CA - Assessment, Authorization, and Monitoring
14 Controls
CA-1 - Policy and Procedures
CA-2 - Control Assessments
2 Subcontrols
CA-2.1 - Independent Assessors
CA-2.2 - Specialized Assessments
CA-3 - Information Exchange
1 Subcontrol
CA-3.6 - Transfer Authorizations
CA-5 - Plan of Action and Milestones
CA-6 - Authorization
CA-7 - Continuous Monitoring
2 Subcontrols
CA-7.1 - Independent Assessment
CA-7.4 - Risk Monitoring
CA-8 - Penetration Testing
1 Subcontrol
CA-8.1 - Independent Penetration Testing Agent or Team
CA-9 - Internal System Connections
CM - Configuration Management
32 Controls
CM-1 - Policy and Procedures
CM-2 - Baseline Configuration
3 Subcontrols
CM-2.2 - Automation Support for Accuracy and Currency
CM-2.3 - Retention of Previous Configurations
CM-2.7 - Configure Systems and Components for High-risk Areas
CM-3 - Configuration Change Control
4 Subcontrols
CM-3.1 - Automated Documentation, Notification, and Prohibition of Changes
CM-3.2 - Testing, Validation, and Documentation of Changes
CM-3.4 - Security and Privacy Representatives
CM-3.6 - Cryptography Management
CM-4 - Impact Analyses
2 Subcontrols
CM-4.1 - Separate Test Environments
CM-4.2 - Verification of Controls
CM-5 - Access Restrictions for Change
1 Subcontrol
CM-5.1 - Automated Access Enforcement and Audit Records
CM-6 - Configuration Settings
2 Subcontrols
CM-6.1 - Automated Management, Application, and Verification
CM-6.2 - Respond to Unauthorized Changes
CM-7 - Least Functionality
3 Subcontrols
CM-7.1 - Periodic Review
CM-7.2 - Prevent Program Execution
CM-7.5 - Authorized Software — Allow-by-exception
CM-8 - System Component Inventory
4 Subcontrols
CM-8.1 - Updates During Installation and Removal
CM-8.2 - Automated Maintenance
CM-8.3 - Automated Unauthorized Component Detection
CM-8.4 - Accountability Information
CM-9 - Configuration Management Plan
CM-10 - Software Usage Restrictions
CM-11 - User-installed Software
CM-12 - Information Location
1 Subcontrol
CM-12.1 - Automated Tools to Support Information Location
CP - Contingency Planning
35 Controls
CP-1 - Policy and Procedures
CP-2 - Contingency Plan
5 Subcontrols
CP-2.1 - Coordinate with Related Plans
CP-2.2 - Capacity Planning
CP-2.3 - Resume Mission and Business Functions
CP-2.5 - Continue Mission and Business Functions
CP-2.8 - Identify Critical Assets
CP-3 - Contingency Training
1 Subcontrol
CP-3.1 - Simulated Events
CP-4 - Contingency Plan Testing
2 Subcontrols
CP-4.1 - Coordinate with Related Plans
CP-4.2 - Alternate Processing Site
CP-6 - Alternate Storage Site
3 Subcontrols
CP-6.1 - Separation from Primary Site
CP-6.2 - Recovery Time and Recovery Point Objectives
CP-6.3 - Accessibility
CP-7 - Alternate Processing Site
4 Subcontrols
CP-7.1 - Separation from Primary Site
CP-7.2 - Accessibility
CP-7.3 - Priority of Service
CP-7.4 - Preparation for Use
CP-8 - Telecommunications Services
4 Subcontrols
CP-8.1 - Priority of Service Provisions
CP-8.2 - Single Points of Failure
CP-8.3 - Separation of Primary and Alternate Providers
CP-8.4 - Provider Contingency Plan
CP-9 - System Backup
5 Subcontrols
CP-9.1 - Testing for Reliability and Integrity
CP-9.2 - Test Restoration Using Sampling
CP-9.3 - Separate Storage for Critical Information
CP-9.5 - Transfer to Alternate Storage Site
CP-9.8 - Cryptographic Protection
CP-10 - System Recovery and Reconstitution
2 Subcontrols
CP-10.2 - Transaction Recovery
CP-10.4 - Restore Within Time Period
IA - Identification and Authentication
26 Controls
IA-1 - Policy and Procedures
IA-2 - Identification and Authentication (Organizational Users)
5 Subcontrols
IA-2.1 - Multi-factor Authentication to Privileged Accounts
IA-2.2 - Multi-factor Authentication to Non-privileged Accounts
IA-2.5 - Individual Authentication with Group Authentication
IA-2.8 - Access to Accounts — Replay Resistant
IA-2.12 - Acceptance of PIV Credentials
IA-3 - Device Identification and Authentication
IA-4 - Identifier Management
1 Subcontrol
IA-4.4 - Identify User Status
IA-5 - Authenticator Management
3 Subcontrols
IA-5.1 - Password-based Authentication
IA-5.2 - Public Key-based Authentication
IA-5.6 - Protection of Authenticators
IA-6 - Authentication Feedback
IA-7 - Cryptographic Module Authentication
IA-8 - Identification and Authentication (Non-organizational Users)
3 Subcontrols
IA-8.1 - Acceptance of PIV Credentials from Other Agencies
IA-8.2 - Acceptance of External Authenticators
IA-8.4 - Use of Defined Profiles
IA-11 - Re-authentication
IA-12 - Identity Proofing
4 Subcontrols
IA-12.2 - Identity Evidence
IA-12.3 - Identity Evidence Validation and Verification
IA-12.4 - In-person Validation and Verification
IA-12.5 - Address Confirmation
IR - Incident Response
18 Controls
IR-1 - Policy and Procedures
IR-2 - Incident Response Training
2 Subcontrols
IR-2.1 - Simulated Events
IR-2.2 - Automated Training Environments
IR-3 - Incident Response Testing
1 Subcontrol
IR-3.2 - Coordination with Related Plans
IR-4 - Incident Handling
3 Subcontrols
IR-4.1 - Automated Incident Handling Processes
IR-4.4 - Information Correlation
IR-4.11 - Integrated Incident Response Team
IR-5 - Incident Monitoring
1 Subcontrol
IR-5.1 - Automated Tracking, Data Collection, and Analysis
IR-6 - Incident Reporting
2 Subcontrols
IR-6.1 - Automated Reporting
IR-6.3 - Supply Chain Coordination
IR-7 - Incident Response Assistance
1 Subcontrol
IR-7.1 - Automation Support for Availability of Information and Support
IR-8 - Incident Response Plan
MA - Maintenance
12 Controls
MA-1 - Policy and Procedures
MA-2 - Controlled Maintenance
1 Subcontrol
MA-2.2 - Automated Maintenance Activities
MA-3 - Maintenance Tools
3 Subcontrols
MA-3.1 - Inspect Tools
MA-3.2 - Inspect Media
MA-3.3 - Prevent Unauthorized Removal
MA-4 - Nonlocal Maintenance
1 Subcontrol
MA-4.3 - Comparable Security and Sanitization
MA-5 - Maintenance Personnel
1 Subcontrol
MA-5.1 - Individuals Without Appropriate Access
MA-6 - Timely Maintenance
MP - Media Protection
10 Controls
MP-1 - Policy and Procedures
MP-2 - Media Access
MP-3 - Media Marking
MP-4 - Media Storage
MP-5 - Media Transport
MP-6 - Media Sanitization
3 Subcontrols
MP-6.1 - Review, Approve, Track, Document, and Verify
MP-6.2 - Equipment Testing
MP-6.3 - Nondestructive Techniques
MP-7 - Media Use
PE - Physical and Environmental Protection
25 Controls
PE-1 - Policy and Procedures
PE-2 - Physical Access Authorizations
PE-3 - Physical Access Control
1 Subcontrol
PE-3.1 - System Access
PE-4 - Access Control for Transmission
PE-5 - Access Control for Output Devices
PE-6 - Monitoring Physical Access
2 Subcontrols
PE-6.1 - Intrusion Alarms and Surveillance Equipment
PE-6.4 - Monitoring Physical Access to Systems
PE-8 - Visitor Access Records
1 Subcontrol
PE-8.1 - Automated Records Maintenance and Review
PE-9 - Power Equipment and Cabling
PE-10 - Emergency Shutoff
PE-11 - Emergency Power
1 Subcontrol
PE-11.1 - Alternate Power Supply — Minimal Operational Capability
PE-12 - Emergency Lighting
PE-13 - Fire Protection
2 Subcontrols
PE-13.1 - Detection Systems — Automatic Activation and Notification
PE-13.2 - Suppression Systems — Automatic Activation and Notification
PE-14 - Environmental Controls
PE-15 - Water Damage Protection
1 Subcontrol
PE-15.1 - Automation Support
PE-16 - Delivery and Removal
PE-17 - Alternate Work Site
PE-18 - Location of System Components
PL - Planning
7 Controls
PL-1 - Policy and Procedures
PL-2 - System Security and Privacy Plans
PL-4 - Rules of Behavior
1 Subcontrol
PL-4.1 - Social Media and External Site/Application Usage Restrictions
PL-8 - Security and Privacy Architectures
PL-10 - Baseline Selection
PL-11 - Baseline Tailoring
PS - Personnel Security
10 Controls
PS-1 - Policy and Procedures
PS-2 - Position Risk Designation
PS-3 - Personnel Screening
PS-4 - Personnel Termination
1 Subcontrol
PS-4.2 - Automated Actions
PS-5 - Personnel Transfer
PS-6 - Access Agreements
PS-7 - External Personnel Security
PS-8 - Personnel Sanctions
PS-9 - Position Descriptions
RA - Risk Assessment
11 Controls
RA-1 - Policy and Procedures
RA-2 - Security Categorization
RA-3 - Risk Assessment
1 Subcontrol
RA-3.1 - Supply Chain Risk Assessment
RA-5 - Vulnerability Monitoring and Scanning
4 Subcontrols
RA-5.2 - Update Vulnerabilities to Be Scanned
RA-5.4 - Discoverable Information
RA-5.5 - Privileged Access
RA-5.11 - Public Disclosure Program
RA-7 - Risk Response
RA-9 - Criticality Analysis
SA - System and Services Acquisition
21 Controls
SA-1 - Policy and Procedures
SA-2 - Allocation of Resources
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
5 Subcontrols
SA-4.1 - Functional Properties of Controls
SA-4.2 - Design and Implementation Information for Controls
SA-4.5 - System, Component, and Service Configurations
SA-4.9 - Functions, Ports, Protocols, and Services in Use
SA-4.10 - Use of Approved PIV Products
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-9 - External System Services
1 Subcontrol
SA-9.2 - Identification of Functions, Ports, Protocols, and Services
SA-10 - Developer Configuration Management
SA-11 - Developer Testing and Evaluation
SA-15 - Development Process, Standards, and Tools
1 Subcontrol
SA-15.3 - Criticality Analysis
SA-16 - Developer-provided Training
SA-17 - Developer Security and Privacy Architecture and Design
SA-21 - Developer Screening
SA-22 - Unsupported System Components
SC - System and Communications Protection
30 Controls
SC-1 - Policy and Procedures
SC-2 - Separation of System and User Functionality
SC-3 - Security Function Isolation
SC-4 - Information in Shared System Resources
SC-5 - Denial-of-service Protection
SC-7 - Boundary Protection
7 Subcontrols
SC-7.3 - Access Points
SC-7.4 - External Telecommunications Services
SC-7.5 - Deny by Default — Allow by Exception
SC-7.7 - Split Tunneling for Remote Devices
SC-7.8 - Route Traffic to Authenticated Proxy Servers
SC-7.18 - Fail Secure
SC-7.21 - Isolation of System Components
SC-8 - Transmission Confidentiality and Integrity
1 Subcontrol
SC-8.1 - Cryptographic Protection
SC-10 - Network Disconnect
SC-12 - Cryptographic Key Establishment and Management
1 Subcontrol
SC-12.1 - Availability
SC-13 - Cryptographic Protection
SC-15 - Collaborative Computing Devices and Applications
SC-17 - Public Key Infrastructure Certificates
SC-18 - Mobile Code
SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
SC-21 - Secure Name/Address Resolution Service (Recursive or Caching Resolver)
SC-22 - Architecture and Provisioning for Name/Address Resolution Service
SC-23 - Session Authenticity
SC-24 - Fail in Known State
SC-28 - Protection of Information at Rest
1 Subcontrol
SC-28.1 - Cryptographic Protection
SC-39 - Process Isolation
SI - System and Information Integrity
28 Controls
SI-1 - Policy and Procedures
SI-2 - Flaw Remediation
1 Subcontrol
SI-2.2 - Automated Flaw Remediation Status
SI-3 - Malicious Code Protection
SI-4 - System Monitoring
8 Subcontrols
SI-4.2 - Automated Tools and Mechanisms for Real-time Analysis
SI-4.4 - Inbound and Outbound Communications Traffic
SI-4.5 - System-generated Alerts
SI-4.10 - Visibility of Encrypted Communications
SI-4.12 - Automated Organization-generated Alerts
SI-4.14 - Wireless Intrusion Detection
SI-4.20 - Privileged Users
SI-4.22 - Unauthorized Network Services
SI-5 - Security Alerts, Advisories, and Directives
1 Subcontrol
SI-5.1 - Automated Alerts and Advisories
SI-6 - Security and Privacy Function Verification
SI-7 - Software, Firmware, and Information Integrity
5 Subcontrols
SI-7.1 - Integrity Checks
SI-7.2 - Automated Notifications of Integrity Violations
SI-7.5 - Automated Response to Integrity Violations
SI-7.7 - Integration of Detection and Response
SI-7.15 - Code Authentication
SI-8 - Spam Protection
1 Subcontrol
SI-8.2 - Automatic Updates
SI-10 - Information Input Validation
SI-11 - Error Handling
SI-12 - Information Management and Retention
SI-16 - Memory Protection
SR - Supply Chain Risk Management
14 Controls
SR-1 - Policy and Procedures
SR-2 - Supply Chain Risk Management Plan
1 Subcontrol
SR-2.1 - Establish SCRM Team
SR-3 - Supply Chain Controls and Processes
SR-5 - Acquisition Strategies, Tools, and Methods
SR-6 - Supplier Assessments and Reviews
SR-8 - Notification Agreements
SR-9 - Tamper Resistance and Detection
1 Subcontrol
SR-9.1 - Multiple Stages of System Development Life Cycle
SR-10 - Inspection of Systems or Components
SR-11 - Component Authenticity
2 Subcontrols
SR-11.1 - Anti-counterfeit Training
SR-11.2 - Configuration Control for Component Service and Repair
SR-12 - Component Disposal