Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
OSCAL Profiles
NIST Special Publication 800-53 Revision 5.1.1 LOW IMPACT BASELINE
NIST Special Publication 800-53 Revision 5.1.1 LOW IMPACT BASELINE
An OSCAL Profile
Details
Prose
149 controls organized in 18 groups
AC - Access Control
11 Controls
AC-1 - Policy and Procedures
AC-2 - Account Management
AC-3 - Access Enforcement
AC-7 - Unsuccessful Logon Attempts
AC-8 - System Use Notification
AC-14 - Permitted Actions Without Identification or Authentication
AC-17 - Remote Access
AC-18 - Wireless Access
AC-19 - Access Control for Mobile Devices
AC-20 - Use of External Systems
AC-22 - Publicly Accessible Content
AT - Awareness and Training
5 Controls
AT-1 - Policy and Procedures
AT-2 - Literacy Training and Awareness
1 Subcontrol
AT-2.2 - Insider Threat
AT-3 - Role-based Training
AT-4 - Training Records
AU - Audit and Accountability
10 Controls
AU-1 - Policy and Procedures
AU-2 - Event Logging
AU-3 - Content of Audit Records
AU-4 - Audit Log Storage Capacity
AU-5 - Response to Audit Logging Process Failures
AU-6 - Audit Record Review, Analysis, and Reporting
AU-8 - Time Stamps
AU-9 - Protection of Audit Information
AU-11 - Audit Record Retention
AU-12 - Audit Record Generation
CA - Assessment, Authorization, and Monitoring
8 Controls
CA-1 - Policy and Procedures
CA-2 - Control Assessments
CA-3 - Information Exchange
CA-5 - Plan of Action and Milestones
CA-6 - Authorization
CA-7 - Continuous Monitoring
1 Subcontrol
CA-7.4 - Risk Monitoring
CA-9 - Internal System Connections
CM - Configuration Management
9 Controls
CM-1 - Policy and Procedures
CM-2 - Baseline Configuration
CM-4 - Impact Analyses
CM-5 - Access Restrictions for Change
CM-6 - Configuration Settings
CM-7 - Least Functionality
CM-8 - System Component Inventory
CM-10 - Software Usage Restrictions
CM-11 - User-installed Software
CP - Contingency Planning
6 Controls
CP-1 - Policy and Procedures
CP-2 - Contingency Plan
CP-3 - Contingency Training
CP-4 - Contingency Plan Testing
CP-9 - System Backup
CP-10 - System Recovery and Reconstitution
IA - Identification and Authentication
16 Controls
IA-1 - Policy and Procedures
IA-2 - Identification and Authentication (Organizational Users)
4 Subcontrols
IA-2.1 - Multi-factor Authentication to Privileged Accounts
IA-2.2 - Multi-factor Authentication to Non-privileged Accounts
IA-2.8 - Access to Accounts — Replay Resistant
IA-2.12 - Acceptance of PIV Credentials
IA-4 - Identifier Management
IA-5 - Authenticator Management
1 Subcontrol
IA-5.1 - Password-based Authentication
IA-6 - Authentication Feedback
IA-7 - Cryptographic Module Authentication
IA-8 - Identification and Authentication (Non-organizational Users)
3 Subcontrols
IA-8.1 - Acceptance of PIV Credentials from Other Agencies
IA-8.2 - Acceptance of External Authenticators
IA-8.4 - Use of Defined Profiles
IA-11 - Re-authentication
IR - Incident Response
7 Controls
IR-1 - Policy and Procedures
IR-2 - Incident Response Training
IR-4 - Incident Handling
IR-5 - Incident Monitoring
IR-6 - Incident Reporting
IR-7 - Incident Response Assistance
IR-8 - Incident Response Plan
MA - Maintenance
4 Controls
MA-1 - Policy and Procedures
MA-2 - Controlled Maintenance
MA-4 - Nonlocal Maintenance
MA-5 - Maintenance Personnel
MP - Media Protection
4 Controls
MP-1 - Policy and Procedures
MP-2 - Media Access
MP-6 - Media Sanitization
MP-7 - Media Use
PE - Physical and Environmental Protection
10 Controls
PE-1 - Policy and Procedures
PE-2 - Physical Access Authorizations
PE-3 - Physical Access Control
PE-6 - Monitoring Physical Access
PE-8 - Visitor Access Records
PE-12 - Emergency Lighting
PE-13 - Fire Protection
PE-14 - Environmental Controls
PE-15 - Water Damage Protection
PE-16 - Delivery and Removal
PL - Planning
6 Controls
PL-1 - Policy and Procedures
PL-2 - System Security and Privacy Plans
PL-4 - Rules of Behavior
1 Subcontrol
PL-4.1 - Social Media and External Site/Application Usage Restrictions
PL-10 - Baseline Selection
PL-11 - Baseline Tailoring
PS - Personnel Security
9 Controls
PS-1 - Policy and Procedures
PS-2 - Position Risk Designation
PS-3 - Personnel Screening
PS-4 - Personnel Termination
PS-5 - Personnel Transfer
PS-6 - Access Agreements
PS-7 - External Personnel Security
PS-8 - Personnel Sanctions
PS-9 - Position Descriptions
RA - Risk Assessment
8 Controls
RA-1 - Policy and Procedures
RA-2 - Security Categorization
RA-3 - Risk Assessment
1 Subcontrol
RA-3.1 - Supply Chain Risk Assessment
RA-5 - Vulnerability Monitoring and Scanning
2 Subcontrols
RA-5.2 - Update Vulnerabilities to Be Scanned
RA-5.11 - Public Disclosure Program
RA-7 - Risk Response
SA - System and Services Acquisition
9 Controls
SA-1 - Policy and Procedures
SA-2 - Allocation of Resources
SA-3 - System Development Life Cycle
SA-4 - Acquisition Process
1 Subcontrol
SA-4.10 - Use of Approved PIV Products
SA-5 - System Documentation
SA-8 - Security and Privacy Engineering Principles
SA-9 - External System Services
SA-22 - Unsupported System Components
SC - System and Communications Protection
10 Controls
SC-1 - Policy and Procedures
SC-5 - Denial-of-service Protection
SC-7 - Boundary Protection
SC-12 - Cryptographic Key Establishment and Management
SC-13 - Cryptographic Protection
SC-15 - Collaborative Computing Devices and Applications
SC-20 - Secure Name/Address Resolution Service (Authoritative Source)
SC-21 - Secure Name/Address Resolution Service (Recursive or Caching Resolver)
SC-22 - Architecture and Provisioning for Name/Address Resolution Service
SC-39 - Process Isolation
SI - System and Information Integrity
6 Controls
SI-1 - Policy and Procedures
SI-2 - Flaw Remediation
SI-3 - Malicious Code Protection
SI-4 - System Monitoring
SI-5 - Security Alerts, Advisories, and Directives
SI-12 - Information Management and Retention
SR - Supply Chain Risk Management
11 Controls
SR-1 - Policy and Procedures
SR-2 - Supply Chain Risk Management Plan
1 Subcontrol
SR-2.1 - Establish SCRM Team
SR-3 - Supply Chain Controls and Processes
SR-5 - Acquisition Strategies, Tools, and Methods
SR-8 - Notification Agreements
SR-10 - Inspection of Systems or Components
SR-11 - Component Authenticity
2 Subcontrols
SR-11.1 - Anti-counterfeit Training
SR-11.2 - Configuration Control for Component Service and Repair
SR-12 - Component Disposal