NIST SP800-53 Controls

Node
SR-9: Tamper Resistance and Detection
SR-8: Notification Agreements
SR-7: Supply Chain Operations Security
SR-6: Supplier Assessments and Reviews
SR-5: Acquisition Strategies, Tools, and Methods
SR-4: Provenance
SR-3: Supply Chain Controls and Processes
SR-2: Supply Chain Risk Management Plan
SR-12: Component Disposal
SR-11: Component Authenticity
SR-10: Inspection of Systems or Components
SR-1: Policy and Procedures
SI-9: Information Input Restrictions
SI-8: Spam Protection
SI-7: Software, Firmware, and Information Integrity
SI-6: Security and Privacy Function Verification
SI-5: Security Alerts, Advisories, and Directives
SI-4: System Monitoring
SI-3: Malicious Code Protection
SI-23: Information Fragmentation
SI-22: Information Diversity
SI-21: Information Refresh
SI-20: Tainting
SI-2: Flaw Remediation
SI-19: De-identification
SI-18: Personally Identifiable Information Quality Operations
SI-17: Fail-safe Procedures
SI-16: Memory Protection
SI-15: Information Output Filtering
SI-14: Non-persistence
SI-13: Predictable Failure Prevention
SI-12: Information Management and Retention
SI-11: Error Handling
SI-10: Information Input Validation
SI-1: Policy and Procedures
SC-9: Transmission Confidentiality
SC-8: Transmission Confidentiality and Integrity
SC-7: Boundary Protection
SC-6: Resource Availability
SC-51: Hardware-based Protection
SC-50: Software-enforced Separation and Policy Enforcement
SC-5: Denial-of-service Protection
SC-49: Hardware-enforced Separation and Policy Enforcement
SC-48: Sensor Relocation
SC-47: Alternate Communications Paths
SC-46: Cross Domain Policy Enforcement
SC-45: System Time Synchronization
SC-44: Detonation Chambers
SC-43: Usage Restrictions
SC-42: Sensor Capability and Data
SC-41: Port and I/O Device Access
SC-40: Wireless Link Protection
SC-4: Information in Shared System Resources
SC-39: Process Isolation
SC-38: Operations Security
SC-37: Out-of-band Channels
SC-36: Distributed Processing and Storage
SC-35: External Malicious Code Identification
SC-34: Non-modifiable Executable Programs
SC-33: Transmission Preparation Integrity
SC-32: System Partitioning
SC-31: Covert Channel Analysis
SC-30: Concealment and Misdirection
SC-3: Security Function Isolation
SC-29: Heterogeneity
SC-28: Protection of Information at Rest
SC-27: Platform-independent Applications
SC-26: Decoys
SC-25: Thin Nodes
SC-24: Fail in Known State
SC-23: Session Authenticity
SC-22: Architecture and Provisioning for Name/address Resolution Service
SC-21: Secure Name/address Resolution Service (recursive or Caching Resolver)
SC-20: Secure Name/address Resolution Service (authoritative Source)
SC-2: Separation of System and User Functionality
SC-19: Voice Over Internet Protocol
SC-18: Mobile Code
SC-17: Public Key Infrastructure Certificates
SC-16: Transmission of Security and Privacy Attributes
SC-15: Collaborative Computing Devices and Applications
SC-14: Public Access Protections
SC-13: Cryptographic Protection
SC-12: Cryptographic Key Establishment and Management
SC-11: Trusted Path
SC-10: Network Disconnect
SC-1: Policy and Procedures
SA-9: External System Services
SA-8: Security and Privacy Engineering Principles
SA-7: User-installed Software
SA-6: Software Usage Restrictions
SA-5: System Documentation
SA-4: Acquisition Process
SA-3: System Development Life Cycle
SA-23: Specialization
SA-22: Unsupported System Components
SA-21: Developer Screening
SA-20: Customized Development of Critical Components
SA-2: Allocation of Resources
SA-19: Component Authenticity
SA-18: Tamper Resistance and Detection
SA-17: Developer Security and Privacy Architecture and Design
SA-16: Developer-provided Training
SA-15: Development Process, Standards, and Tools
SA-14: Criticality Analysis
SA-13: Trustworthiness
SA-12: Supply Chain Protection
SA-11: Developer Testing and Evaluation
SA-10: Developer Configuration Management
SA-1: Policy and Procedures
RA-9: Criticality Analysis
RA-8: Privacy Impact Assessments
RA-7: Risk Response
RA-6: Technical Surveillance Countermeasures Survey
RA-5: Vulnerability Monitoring and Scanning
RA-4: Risk Assessment Update
RA-3: Risk Assessment
RA-2: Security Categorization
RA-10: Threat Hunting
RA-1: Policy and Procedures
PT-8: Computer Matching Requirements
PT-7: Specific Categories of Personally Identifiable Information
PT-6: System of Records Notice
PT-5: Privacy Notice
PT-4: Consent
PT-3: Personally Identifiable Information Processing Purposes
PT-2: Authority to Process Personally Identifiable Information
PT-1: Policy and Procedures
PS-9: Position Descriptions
PS-8: Personnel Sanctions
PS-7: External Personnel Security
PS-6: Access Agreements
PS-5: Personnel Transfer
PS-4: Personnel Termination
PS-3: Personnel Screening
PS-2: Position Risk Designation
PS-1: Policy and Procedures
PM-9: Risk Management Strategy
PM-8: Critical Infrastructure Plan
PM-7: Enterprise Architecture
PM-6: Measures of Performance
PM-5: System Inventory
PM-4: Plan of Action and Milestones Process
PM-32: Purposing
PM-31: Continuous Monitoring Strategy
PM-30: Supply Chain Risk Management Strategy
PM-3: Information Security and Privacy Resources
PM-29: Risk Management Program Leadership Roles
PM-28: Risk Framing
PM-27: Privacy Reporting
PM-26: Complaint Management
PM-25: Minimization of Personally Identifiable Information Used in Testing, Training, and Research
PM-24: Data Integrity Board
PM-23: Data Governance Body
PM-22: Personally Identifiable Information Quality Management
PM-21: Accounting of Disclosures
PM-20: Dissemination of Privacy Program Information
PM-2: Information Security Program Leadership Role
PM-19: Privacy Program Leadership Role
PM-18: Privacy Program Plan
PM-17: Protecting Controlled Unclassified Information on External Systems
PM-16: Threat Awareness Program
PM-15: Security and Privacy Groups and Associations
PM-14: Testing, Training, and Monitoring
PM-13: Security and Privacy Workforce
PM-12: Insider Threat Program
PM-11: Mission and Business Process Definition
PM-10: Authorization Process
PM-1: Information Security Program Plan
PL-9: Central Management
PL-8: Security and Privacy Architectures
PL-7: Concept of Operations
PL-6: Security-related Activity Planning
PL-5: Privacy Impact Assessment
PL-4: Rules of Behavior
PL-3: System Security Plan Update
PL-2: System Security and Privacy Plans
PL-11: Baseline Tailoring
PL-10: Baseline Selection
PL-1: Policy and Procedures
PE-9: Power Equipment and Cabling
PE-8: Visitor Access Records
PE-7: Visitor Control
PE-6: Monitoring Physical Access
PE-5: Access Control for Output Devices
PE-4: Access Control for Transmission
PE-3: Physical Access Control
PE-23: Facility Location
PE-22: Component Marking
PE-21: Electromagnetic Pulse Protection
PE-20: Asset Monitoring and Tracking
PE-2: Physical Access Authorizations
PE-19: Information Leakage
PE-18: Location of System Components
PE-17: Alternate Work Site
PE-16: Delivery and Removal
PE-15: Water Damage Protection
PE-14: Environmental Controls
PE-13: Fire Protection
PE-12: Emergency Lighting
PE-11: Emergency Power
PE-10: Emergency Shutoff
PE-1: Policy and Procedures
MP-8: Media Downgrading
MP-7: Media Use
MP-6: Media Sanitization
MP-5: Media Transport
MP-4: Media Storage
MP-3: Media Marking
MP-2: Media Access
MP-1: Policy and Procedures
MA-7: Field Maintenance
MA-6: Timely Maintenance
MA-5: Maintenance Personnel
MA-4: Nonlocal Maintenance
MA-3: Maintenance Tools
MA-2: Controlled Maintenance
MA-1: Policy and Procedures
IR-9: Information Spillage Response
IR-8: Incident Response Plan
IR-7: Incident Response Assistance
IR-6: Incident Reporting
IR-5: Incident Monitoring
IR-4: Incident Handling
IR-3: Incident Response Testing
IR-2: Incident Response Training
IR-10: Integrated Information Security Analysis Team
IR-1: Policy and Procedures
IA-9: Service Identification and Authentication
IA-8: Identification and Authentication (non-organizational Users)
IA-7: Cryptographic Module Authentication
IA-6: Authentication Feedback
IA-5: Authenticator Management
IA-4: Identifier Management
IA-3: Device Identification and Authentication
IA-2: Identification and Authentication (organizational Users)
IA-12: Identity Proofing
IA-11: Re-authentication
IA-10: Adaptive Authentication
IA-1: Policy and Procedures
CP-9: System Backup
CP-8: Telecommunications Services
CP-7: Alternate Processing Site
CP-6: Alternate Storage Site
CP-5: Contingency Plan Update
CP-4: Contingency Plan Testing
CP-3: Contingency Training
CP-2: Contingency Plan
CP-13: Alternative Security Mechanisms
CP-12: Safe Mode
CP-11: Alternate Communications Protocols
CP-10: System Recovery and Reconstitution
CP-1: Policy and Procedures
CM-9: Configuration Management Plan
CM-8: System Component Inventory
CM-7: Least Functionality
CM-6: Configuration Settings
CM-5: Access Restrictions for Change
CM-4: Impact Analyses
CM-3: Configuration Change Control
CM-2: Baseline Configuration
CM-14: Signed Components
CM-13: Data Action Mapping
CM-12: Information Location
CM-11: User-installed Software
CM-10: Software Usage Restrictions
CM-1: Policy and Procedures
CA-9: Internal System Connections
CA-8: Penetration Testing
CA-7: Continuous Monitoring
CA-6: Authorization
CA-5: Plan of Action and Milestones
CA-4: Security Certification
CA-3: Information Exchange
CA-2: Control Assessments
CA-1: Policy and Procedures
AU-9: Protection of Audit Information
AU-8: Time Stamps
AU-7: Audit Record Reduction and Report Generation
AU-6: Audit Record Review, Analysis, and Reporting
AU-5: Response to Audit Logging Process Failures
AU-4: Audit Log Storage Capacity
AU-3: Content of Audit Records
AU-2: Event Logging
AU-16: Cross-organizational Audit Logging
AU-15: Alternate Audit Logging Capability
AU-14: Session Audit
AU-13: Monitoring for Information Disclosure
AU-12: Audit Record Generation
AU-11: Audit Record Retention
AU-10: Non-repudiation
AU-1: Policy and Procedures
AT-6: Training Feedback
AT-5: Contacts with Security Groups and Associations
AT-4: Training Records
AT-3: Role-based Training
AT-2: Literacy Training and Awareness
AT-1: Policy and Procedures
AC-9: Previous Logon Notification
AC-8: System Use Notification
AC-7: Unsuccessful Logon Attempts
AC-6: Least Privilege
AC-5: Separation of Duties
AC-4: Information Flow Enforcement
AC-3: Access Enforcement
AC-25: Reference Monitor
AC-24: Access Control Decisions
AC-23: Data Mining Protection
AC-22: Publicly Accessible Content
AC-21: Information Sharing
AC-20: Use of External Systems
AC-2: Account Management
AC-19: Access Control for Mobile Devices
AC-18: Wireless Access
AC-17: Remote Access
AC-16: Security and Privacy Attributes
AC-15: Automated Marking
AC-14: Permitted Actions Without Identification or Authentication
AC-13: Supervision and Review — Access Control
AC-12: Session Termination
AC-11: Device Lock
AC-10: Concurrent Session Control
AC-1: Policy and Procedures