4 - Controls also known as countermeasures, defenses for best viewing this tab should be set at a size of 75%
return to Main
LINK TO: Matching Controls to Threat & Vulnerability
Risk Management Framework Controls
NIST 800-53 Controls
Matching MITRE Controls to ATT&CK Techniques
MITRE D3FEND
1,620 Cyber Security Vendors https://www.digitaldefense.com/wp-content/uploads/2018/09/Volume-3.1-TAG-Cyber-Security-Annual-Vendor-Listings.pdf
Controls - Prices https://cybersecuritypricing.org/
NIST 800-53 Controls https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf Tactics Techniques Sub Techniques Actors/APTs Attack Tools Mitigations
Control Correlation Identifiers https://public.cyber.mil/stigs/cci/ 14 188 379 129 638 55
CISE Controls https://learn.cisecurity.org/cis-controls-download              
Scan of all ports on the internet https://censys.io/data
See NIST Pubs for specific areas NIST_Special_Publications__SP Mapping of MITRE ATT&CK Mitigations against Threats 14 Tactics, 342 Techniques
NIST Cybersecurity Framework https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf ATT&CK Techniques -  I,P,D,R,or RC Rating where 10 = Strong Direct Protection, 5 = Moderate, 0 = None  
Bill Stearns Active Countermeasures Series Bill_Stearns_Active_Countermeasures_Series                              
Rating where 10 = Strong Direct Protection, 5 = Moderate, Blank = None   https://attack.mitre.org/mitigations Note that that the columns, representing the 14 Enterprise Tactics have only the first Technique listed 
Example Matching Controls to Threats & Vulnerabilities Control Type Identify(I) Protect (P) Detect (D) Respond(RS) Recover (RC) Denial of Service Attacks Malicious Web Pages Malicious Email Attachments Unauthorized Access to DBMS Unauthorized Access to Network Unauthorized Access to Building Poor Program Oversight Disgruntled Employee Switch & Router Attack   Phishing Cross-Ref MITRE ATT&CK Control Type                                       55 Controls MITRE Identifier Identify(I) Protect (P) Detect (D) Respond(RS) Recover (RC) Reconnaissance Active Scanning Resource Development Acquire Infrastructure Initial Access Execution Persistence Priviledge Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command & Control Exfiltration Impact   ID (E)nterprise or (M)obile Name Description  
1 Anti-Malware I,P 8 9 9                   1 Account Use Policies M1036                               1 M1001 M Security Updates Install security updates in response to discovered vulnerabilities. 1 M1013 Application Developer Guidance This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.      
2 Anti-Virus I,RS   4 9                   2 Active Directory Configuration M1015                               2 M1002 M Attestation Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources. 2 M1015 Active Directory Configuration Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.      
3 Backup RC                       1,2 3 Antivirus/Antimalware M1049                               3 M1003 M Lock Bootloader On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked. 3 M1016 Vulnerability Scanning Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.      
4 Best Current Practice RFCs I,D 9                       4 Application Developer Guidance M1013                               4 M1004 M System Partition Integrity Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition. 4 M1017 User Training Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.      
5 Building Access Control P                         5 Application Isolation and Sandboxing M1048                               5 M1005 M Application Vetting Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service. 5 M1018 User Account Management Manage the creation, modification, use, and permissions associated to user accounts.      
6 Certificates & Cerifying Authority P                         6 Application Vetting M1005                               6 M1006 M Use Recent OS Version New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques. 6 M1019 Threat Intelligence Program A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.      
7 Client Lockdown P                       13,16 7 Attestation M1002                               7 M1007 M Caution with Device Administrator Access Warn device users not to accept requests to grant Device Administrator access to applications without good reason. 7 M1020 SSL/TLS Inspection Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.      
8 DMZ P 5 7                     8 Audit M1047                               8 M1009 M Encrypt Network Traffic Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption. 8 M1021 Restrict Web-Based Content Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.      
9 Email Attachment Blocking/Analysis D,P 7                       9 Behavior Prevention on Endpoint M1040                               9 M1010 M Deploy Compromised Device Detection Method A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated. 9 M1022 Restrict File and Directory Permissions Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.      
10 Encryption - Data at Rest P                         10 Boot Integrity M1046                               10 M1011 M User Guidance Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors. 10 M1024 Restrict Registry Permissions Restrict the ability to modify certain hives or keys in the Windows Registry.      
11 Encryption - Data in Transit P                       3 11 Caution with Device Administrator Access M1007                               11 M1012 M Enterprise Policy An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior. 11 M1025 Privileged Process Integrity Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.      
12 Extensible Authentication Protocol I,P                         12 Code Signing M1045                               12 M1013 M Application Developer Guidance This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of. 12 M1026 Privileged Account Management Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.      
13 Firewall Rules D,P 9 6                     13 Credential Access Protection M1043                               13 M1014 M Interconnection Filtering In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests . 13 M1027 Password Policies Set and enforce secure password policies for accounts.      
14 Hardened Switch & Router Configuration P                       10,11 14 Data Backup M1053                               14 M1015 E Active Directory Configuration Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc. 14 M1028 Operating System Configuration Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.      
15 Infosec Personnel Training I,P,D,RS,RC   8                     15 Deploy Compromised Device Detection Method M1010                               15 M1016 E Vulnerability Scanning Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. 15 M1029 Remote Data Storage Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.      
16 Intrusion Detection & Prevention D,RS 10                       16 Disable or Remove Feature or Program M1042                               16 M1017 E User Training Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. 16 M1030 Network Segmentation Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.      
17 Inventories - HW, SW, Datacomm I                       16 17 Do Not Mitigate M1055                               17 M1018 E User Account Management Manage the creation, modification, use, and permissions associated to user accounts. 17 M1031 Network Intrusion Prevention Use intrusion detection signatures to block traffic at network boundaries.      
18 IPSEC P                       13 18 Encrypt Network Traffic M1009                               18 M1019 E Threat Intelligence Program A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk. 18 M1032 Multi-factor Authentication Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.      
19 Logging & Alerts I,D 4                       19 Encrypt Sensitive Information M1041                               19 M1020 E SSL/TLS Inspection Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity. 19 M1033 Limit Software Installation Block users or groups from installing unapproved software.      
20 Multi-Factor Authentication P                         20 Enterprise Policy M1012                               20 M1021 E Restrict Web-Based Content Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. 20 M1034 Limit Hardware Installation Block users or groups from installing or using unapproved hardware on systems, including USB devices.      
21 Personnel Basic Cyber Training P   8                     21 Environment Variable Permissions M1039                               21 M1022 E Restrict File and Directory Permissions Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. 21 M1035 Limit Access to Resource Over Network Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.      
22 Public Key Infrastructure P                       20 22 Execution Prevention M1038                               22 M1024 E Restrict Registry Permissions Restrict the ability to modify certain hives or keys in the Windows Registry. 22 M1036 Account Use Policies Configure features related to account use like login attempt lockouts, specific login times, etc.      
23 Reverse Path Filtering P,D                       16 23 Exploit Protection M1050                               23 M1025 E Privileged Process Integrity Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures. 23 M1037 Filter Network Traffic Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.      
24 Client & Server OS Lockdown P                       13 24 Filter Network Traffic M1037                               24 M1026 E Privileged Account Management Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. 24 M1038 Execution Prevention Block execution of code on a system through application control, and/or script blocking.      
25 Strong Password Policy P                       7,24 25 Interconnection Filtering M1014                               25 M1027 E Password Policies Set and enforce secure password policies for accounts. 25 M1039 Environment Variable Permissions Prevent modification of environment variables by unauthorized users and groups.      
26 Threat Intelligence I 4 6                     26 Limit Access to Resource Over Network M1035                               26 M1028 E Operating System Configuration Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. 26 M1040 Behavior Prevention on Endpoint Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.      
27 Updates / Patch Management P   7                     27 Limit Hardware Installation M1034                               27 M1029 E Remote Data Storage Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information. 27 M1041 Encrypt Sensitive Information Protect sensitive information with strong encryption.      
28 Vulnerability Scanning I                         28 Limit Software Installation M1033                               28 M1030 E Network Segmentation Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. 28 M1042 Disable or Remove Feature or Program Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.      
29 Web Page Vulnerability Testing D,P   8                     29 Lock Bootloader M1003                               29 M1031 E Network Intrusion Prevention Use intrusion detection signatures to block traffic at network boundaries. 29 M1043 Credential Access Protection Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.      
30 White/Gray/Blacklisting I,P   9                     30 Authentication - Multifactor M1032                               30 M1032 E Multi-factor Authentication Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. 30 M1044 Restrict Library Loading Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.      
31 Endpoint Detection & Response 31 Network Intrusion Prevention M1031                               31 M1033 E Limit Software Installation Block users or groups from installing unapproved software. 31 M1045 Code Signing Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.      
  32 Network Segmentation M1030                               32 M1034 E Limit Hardware Installation Block users or groups from installing or using unapproved hardware on systems, including USB devices. 32 M1046 Boot Integrity Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.      
The Risk Management Framework (RMF) Controls SOURCE: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf 33 Operating System Configuration M1028                               33 M1035 E Limit Access to Resource Over Network Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. 33 M1047 Audit Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.      
return to top 34 Password Policies M1027                               34 M1036 E Account Use Policies Configure features related to account use like login attempt lockouts, specific login times, etc. 34 M1048 Application Isolation and Sandboxing Restrict execution of code to a virtual environment on or in transit to an endpoint system.      
IDENTIFY (ID)   Asset Management ID.AM-1: Physical devices and systems within the organization are inventoried     35 Pre-compromise M1056                               35 M1037 E Filter Network Traffic Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. 35 M1049 Antivirus/Antimalware Use signatures or heuristics to detect malicious software.      
  Business Environment ID.AM-2: Software platforms and applications within the organization are inventoried     36 Privileged Account Management M1026                               36 M1038 E Execution Prevention Block execution of code on a system through application control, and/or script blocking. 36 M1050 Exploit Protection Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.      
  Governance ID.AM-3: Organizational communication and data flows are mapped     37 Privileged Process Integrity M1025                               37 M1039 E Environment Variable Permissions Prevent modification of environment variables by unauthorized users and groups. 37 M1051 Update Software Perform regular software updates to mitigate exploitation risk.      
  Risk Assessment ID.AM-4: External information systems are catalogued     27 38 Remote Data Storage M1029                               38 M1040 E Behavior Prevention on Endpoint Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. 38 M1052 User Account Control Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.      
  Risk Management Strategy ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value      39 Restrict File and Directory Permissions M1022                               39 M1041 E Encrypt Sensitive Information Protect sensitive information with strong encryption. 39 M1053 Data Backup Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.      
  Supply Chain Risk Management ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established     40 Restrict Library Loading M1044                               40 M1042 E Disable or Remove Feature or Program Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. 40 M1054 Software Configuration Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.      
ID.BE-1: The organization’s role in the supply chain is identified and communicated     15,21 41 Restrict Registry Permissions M1024                               41 M1043 E Credential Access Protection Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping. 41 M1055 Do Not Mitigate This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.      
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated     28 42 Restrict Web-Based Content M1021                               42 M1044 E Restrict Library Loading Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software. 42 M1056 Pre-compromise This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.      
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated     43 Security Updates M1001                               43 M1045 E Code Signing Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. 43 M1057 Data Loss Prevention Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.      
ID.BE-4: Dependencies and critical functions for delivery of critical services are established     44 Software Configuration M1054                               44 M1046 E Boot Integrity Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)     45 SSL/TLS Inspection M1020                               45 M1047 E Audit Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
ID.GV-1: Organizational cybersecurity policy is established and communicated     46 System Partition Integrity M1004                               46 M1048 E Application Isolation and Sandboxing Restrict execution of code to a virtual environment on or in transit to an endpoint system.
ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners     47 Threat Intelligence Program M1019                               47 M1049 E Antivirus/Antimalware Use signatures or heuristics to detect malicious software.
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed     48 Update Software M1051                               48 M1050 E Exploit Protection Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
ID.GV-4: Governance and risk management processes address cybersecurity risks     49 Use Recent OS Version M1006                               49 M1051 E Update Software Perform regular software updates to mitigate exploitation risk.
ID.RA-1: Asset vulnerabilities are identified and documented     50 User Account Control M1052                               50 M1052 E User Account Control Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources     51 User Account Management M1018                               51 M1053 E Data Backup Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.
ID.RA-3: Threats, both internal and external, are identified and documented     52 User Guidance M1011                               52 M1054 E Software Configuration Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.
ID.RA-4: Potential business impacts and likelihoods are identified     53 User Training M1017                               53 M1055 E Do Not Mitigate This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk     54 Vulnerability Scanning M1016                               54 M1056 E Pre-compromise This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.
ID.RA-6: Risk responses are identified and prioritized                                   55 M1057 E Data Loss Prevention Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders      
ID.RM-2: Organizational risk tolerance is determined and clearly expressed       MITRE D3FEND (2022) 
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis    
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders    
ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process     
ID.SC-3: Contracts with suppliers and 3rd-party partners are used to implement appropriate measures designed to meet the objectives of an org’s cybersecurity program and Cyber SupplyChain Risk Mgmt Plan
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.    
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers    
PROTECT (PR)   Access Control & Identity Management PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes    
  Awareness and Training PR.AC-2: Physical access to assets is managed and protected    
  Data Security PR.AC-3: Remote access is managed    
  Information Protection Processes and Procedures PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties    
  Maintenance PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)    
  Protective Technology PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions    
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)    
PR.AT-1: All users are informed and trained         
PR.AT-2: Privileged users understand their roles and responsibilities         
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities         
PR.AT-4: Senior executives understand their roles and responsibilities         
PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities         
PR.DS-1: Data-at-rest is protected                        
PR.DS-2: Data-in-transit is protected                        
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition                        
PR.DS-4: Adequate capacity to ensure availability is maintained                        
PR.DS-5: Protections against data leaks are implemented                        
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity                        
PR.DS-7: The development and testing environment(s) are separate from the production environment                        
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity                        
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)                        
PR.IP-2: A System Development Life Cycle to manage systems is implemented                        
PR.IP-3: Configuration change control processes are in place                        
PR.IP-4: Backups of information are conducted, maintained, and tested                         
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met                        
PR.IP-6: Data is destroyed according to policy                        
PR.IP-7: Protection processes are improved                        
PR.IP-8: Effectiveness of protection technologies is shared                         
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed                        
PR.IP-10: Response and recovery plans are tested                        
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)                        
PR.IP-12: A vulnerability management plan is developed and implemented                        
PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools                        
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access                        
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy                        
PR.PT-2: Removable media is protected and its use restricted according to policy                        
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities                        
PR.PT-4: Communications and control networks are protected                        
PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations                        
DETECT   Anomalies and Events DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed                        
  Security Continuous Monitoring DE.AE-2: Detected events are analyzed to understand attack targets and methods                
  Detection Processes  DE.AE-3: Event data are collected and correlated from multiple sources and sensors                
DE.AE-4: Impact of events is determined                
DE.AE-5: Incident alert thresholds are established                
DE.CM-1: The network is monitored to detect potential cybersecurity events                
DE.CM-2: The physical environment is monitored to detect potential cybersecurity events                
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events                
DE.CM-4: Malicious code is detected                
DE.CM-5: Unauthorized mobile code is detected                
DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events                
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed                
DE.CM-8: Vulnerability scans are performed                
DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability                
DE.DP-2: Detection activities comply with all applicable requirements                
DE.DP-3: Detection processes are tested                
DE.DP-4: Event detection information is communicated                
DE.DP-5: Detection processes are continuously improved                
RESPOND   Response Planning RS.RP-1: Response plan is executed during or after an incident                
  Communications RS.CO-1: Personnel know their roles and order of operations when a response is needed                
  Analysis RS.CO-2: Incidents are reported consistent with established criteria                
  Mitigation RS.CO-3: Information is shared consistent with response plans                
  Improvements RS.CO-4: Coordination with stakeholders occurs consistent with response plans                
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness                 
RS.AN-1: Notifications from detection systems are investigated                        
RS.AN-2: The impact of the incident is understood                        
RS.AN-3: Forensics are performed                        
RS.AN-4: Incidents are categorized consistent with response plans                        
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)    
RS.MI-1: Incidents are contained                        
RS.MI-2: Incidents are mitigated                        
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks                        
RS.IM-1: Response plans incorporate lessons learned                        
RS.IM-2: Response strategies are updated                        
Recover   Recovery Planning RC.RP-1: Recovery plan is executed during or after a cybersecurity incident                         
    Improvements RC.IM-1: Recovery plans incorporate lessons learned                        
    Communications RC.IM-2: Recovery strategies are updated                        
RC.CO-1: Public relations are managed                        
RC.CO-2: Reputation is repaired after an incident                         
RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams                        
Detail Location in 800-53 r4
NIST Publication 800-53 Controls (Total 173) [Return to Top]
Family Number Name Appendix   in PDF    
ACCESS CONTROL AC-1 ACCESS CONTROL POLICY AND PROCEDURES F-AC F-7 164
AC-2  ACCOUNT MANAGEMENT
AC-3 ACCESS ENFORCEMENT
AC-4 INFORMATION FLOW ENFORCEMENT
AC-5 SEPARATION OF DUTIES
AC-6 LEAST PRIVILEGE
AC-7 UNSUCCESSFUL LOGON ATTEMPTS
AC-8 SYSTEM USE NOTIFICATION
AC-10 CONCURRENT SESSION LOCK
AC-11 SESSION LOCK
AC-12 SESSION TERMINATION
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
AC-17 REMOTE ACCESS
AC-18 WIRELESS ACCESS
AC-19 ACCESS CONTROL FOR MOBILE DEVICES
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS
AC-21 INFORMATION SHARING
AC-22 PUBLICLY ACCESSIBLE CONTENT
AWARENESS & TRAINING AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
AT-2 SECURITY AWARENESS TRAINING
AT-3 ROLE-BASED SECURITY TRAINING
AT-4 SECURITY TRAINING RECORDS
AUDIT AND ACCOUNTABILITY AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES
AU-2 AUDIT EVENTS
AU-3 CONTENT OF AUDIT RECORDS
AU-4 AUDIT STORAGE CAPACITY
AU-5 RESPONSE TO AUDIT PROCESSING FAILURES
AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING
AU-7 AUDIT REDUCTION AND REPORT GENERATION
AU-8 TIME STAMPS
AU-9 PROTECTION OF AUDIT INFORMATION
AU-11 AUDIT RECORD RETENTION
AU-12 AUDIT GENERATION
SECURITY ASSESSMENT AND AUTHOR-IZATION CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES
CA-2 SECURITY ASSESSMENTS
CA-3 SYSTEM INTERCONNECTIONS
CA-5 PLAN OF ACTION AND MILESTONES
CA-6 SECURITY AUTHORIZATION
CA-7 CONTINUOUS MONITORING
CA-8 PENETRATION TESTING
CA-9 INTERNAL SYSTEM CONNECTIONS
CONFIGURATION MANAGEMENT CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
CM-2 BASELINE CONFIGURATION
CM-3 CONFIGURATION CHANGE CONTROL
CM-4 SECURITY IMPACT ANALYSIS
CM-5 ACCESS RESTRICTIONS FOR CHANGE
CM-6 CONFIGURATION SETTINGS
CM-7 LEAST FUNCTIONALITY
CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
CM-9 CONFIGURATION MANAGEMENT PLAN
CM-10 SOFTWARE USAGE RESTRICTIONS
CM-11 USER-INSTALLED SOFTWARE
CONTINGENCY PLANNING CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES
CP-2 CONTINGENCY PLAN
CP-3 CONTINGENCY TRAINING
CP-4 CONTINGENCY PLAN TESTING
CP-6 ALTERNATE STORAGE SITE
CP-7 ALTERNATE PROCESSING SITE
CP-8 TELECOMMUNICATIONS SERVICES
CP-9 INFORMATION SYSTEM BACKUP
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
IDENTIFICATION AND AUTHENTICATION IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES
IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION
IA-4 IDENTIFIER MANAGEMENT
IA-5 AUTHENTICATOR MANAGEMENT
IA-6 AUTHENTICATOR FEEDBACK
IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION
IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)
INCIDENT RESPONSE IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES
IR-2 INCIDENT RESPONSE TRAINING
IR-3 INCIDENT RESPONSE TESTING
IR-4 INCIDENT HANDLING
IR-5 INCIDENT MONITORING
IR-6 INCIDENT REPORTING
IR-7 INCIDENT RESPONSE ASSISTANCE
IR-8 INCIDENT RESPONSE PLAN
IR-9 NFORMATION SPILLAGE RESPONSE
MAINTENANCE MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES
MA-2 CONTROLLED MAINTENANCE
MA-3 MAINTENANCE TOOLS
MA-4 NONLOCAL MAINTENANCE
MA-5 MAINTENANCE PERSONNEL
MA-6 TIMELY MAINTENANCE
MEDIA PROTECTION MP-1 MEDIA PROTECTION POLICY AND PROCEDURES
MP-2 MEDIA ACCESS
MP-3 MEDIA MARKING
MP-4 MEDIA STORAGE
MP-5 MEDIA TRANSPORT
MP-6 MEDIA SANITIZATION
MP-7 MEDIA USE
PHYSICAL AND ENVIRONMENTAL PROTECTION PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES
PE-2 PHYSICAL ACCESS AUTHORIZATIONS
PE-3 PHYSICAL ACCESS CONTROL
PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM
PE-5 ACCESS CONTROL FOR OUTPUT DEVICES
PE-6 MONITORING PHYSICAL ACCESS
PE-8 VISITOR ACCESS RECORDS
PE-9 POWER EQUIPMENT AND CABLING
PE-10 EMERGENCY SHUTOFF
PE-11 EMERGENCY POWER
PE-12 EMERGENCY LIGHTING
PE-13 FIRE PROTECTION
PE-14 TEMPERATURE AND HUMIDITY CONTROLS
PE-15 WATER DAMAGE PROTECTION
PE-16 DELIVERY AND REMOVAL
PE-17 ALTERNATE WORK SITE
PLANNING PL-1 SECURITY PLANNING POLICY AND PROCEDURES
PL-2 SYSTEM SECURITY PLAN
PL-4 RULES OF BEHAVIOR
PL-8 INFORMATION SECURITY ARCHITECTURE
PERSONNEL SECURITY PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES
PS-2 POSITION RISK DESIGNATION
PS-3 PERSONNEL SCREENING
PS-4 PERSONNEL TERMINATION
PS-5 PERSONNEL TRANSFER
PS-6 ACCESS AGREEMENTS
PS-7 THIRD-PARTY PERSONNEL SECURITY
PS-8 PERSONNEL SANCTIONS
RISK ASSESSMENT RA-1 RISK ASSESSMENT POLICY AND PROCEDURES
RA-2 SECURITY CATEGORIZATION
RA-3 RISK ASSESSMENT
RA-5 VULNERABILITY SCANNING
SYSTEM AND SERVICES ACQUISITION SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES
SA-2 ALLOCATION OF RESOURCES
SA-3 SYSTEM DEVELOPMENT LIFE CYCLE
SA-4 ACQUISITION PROCESS
SA-5 INFORMATION SYSTEM DOCUMENTATION
SA-8 SECURITY ENGINEERING PRINCIPLES
SA-9 EXTERNAL INFORMATION SYSTEM SERVICES
SA-10 DEVELOPER CONFIGURATION MANAGEMENT
SA-11 DEVELOPER SECURITY TESTING AND EVALUATION
SYSTEM AND COMMUNICATIONS PROTECTION SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
SC-2 APPLICATION PARTITIONING
SC-4 INFORMATION IN SHARED RESOURCES
SC-5 DENIAL OF SERVICE PROTECTION
SC-7 BOUNDARY PROTECTION
SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
SC-10 NETWORK DISCONNECT
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
SC-13 CRYPTOGRAPHIC PROTECTION
SC-15 COLLABORATIVE COMPUTING DEVICES
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
SC-18 MOBILE CODE
SC-19 VOICE OVER INTERNET PROTOCOL
SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE 
SC-23 SESSION AUTHENTICITY
SC-28 PROTECTION OF INFORMATION AT REST
SC-39 PROCESS ISOLATION
SYSTEM AND INFORMATION INTEGRITY SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES
SI-2 FLAW REMEDIATION
SI-3 MALICIOUS CODE PROTECTION
SI-4 INFORMATION SYSTEM MONITORING
SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES
SI-6 SECURITY FUNCTION VERIFICATION
SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
SI-8 SPAM PROTECTION
SI-10 INFORMATION INPUT VALIDATION
SI-11 ERROR HANDLING
SI-12 INFORMATION OUTPUT HANDLING AND RETENTION
SI-16 MEMORY PROTECTION
SECURITY SE-1 INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION
SE-2 PRIVACY INCIDENT RESPONSE
TRANSPARENCY TR-1 PRIVACY NOTICE
TR-2 SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS
TR-3 DISSEMINATION OF PRIVACY PROGRAM INFORMATION
USE LIMITATION UL-1 INTERNAL USE
UL-2 INFORMATION SHARING WITH THIRD PARTIES
Bill Stearns Active Countermeasures Series
1. Unexpected Protocol on Non-Standard Port
2. Long Connections
3. Client Signatures (User Agent)
4. DNS
5. Beacons
6. Threat Intel
7. Certificate Issues
8. Client Signatures (TLS Signature)