National Institute of Standards and Technology (NIST) - Information technology Laboratory (ITL)

Supporting NIST 800-53 Security Controls and Publications

The major controls in the NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems control catalog that impact telework are:

AC-4, Information Flow Enforcement; 
Related controls: AC-17, AC-19, AC-21, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18

AC-17, Remote Access
Related controls: AC-3, AC-18, AC-20, IA-2, IA-3, IA-8, MA-4; 
References:  NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121

AC-18, Wireless Access; 
Related controls: AC-3, IA-2, IA-3, IA-8); 
References:  NIST Special Publications 800-48, 800-94, 800-97

AC-19, Access Control for Mobile Devices; 
Related controls: MP-4, MP-5; 
References:  NIST Special Publications 800-114, 800-124

AC-21, User-Based Collaboration and Information Sharing; 
Related control: AC-3 

CA-2, Security Assessments; 
Related controls: CA-6, CA-7, PM-9, SA-11; 
References:  FIPS Publication 199; NIST Special Publications 800-37, 800-53A, 800-115

CA-5, Plan of Action and Milestones; 
Related control: PM-4; 
References:  OMB Memorandum 02-01; NIST Special Publication 800-37

CA-6Security Authorization; 
Related controls: CA-2, CA-7, PM-9, PM-10; 
References:  OMB Circular A-130; NIST Special Publication 800-37

CA-7Continuous Monitoring; 
Related controls: CA-2, CA-5, CA-6, CM-3, CM-4; 
References:  NIST Special Publications 800-37, 800-53A; US-CERT Technical Cyber Security Alerts; DOD Information Assurance Vulnerability Alerts

CM-6,Configuration Settings
Related controls: CM-2, CM-3, SI-4; 
References:  OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: nvd.nist.gov; www.nsa.gov)

CM-7, Least Functionality; 
Related controls: RA-5; 

AU-2, Auditable Events;
Related control: AU-3; 
References:  NIST Special Publications 800-92; Web: CSRC.NIST.GOV/PCIG/CIG.HTML

IA-1, Identification and Authentication Policy and Procedures
Related control: PM-9;  
References:  FIPS Publication 201; NIST Special Publications 800-12, 800-63, 800-73, 800-76, 800-78, 800-100

IA-2, Identification and Authentication (Organizational Users)
Related controls: AC-14, AC-17, AC-18, IA-4, IA-5; 
References:  HSPD 12; OMB Memorandum 04-04; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78

IA-3, Device Identification and Authentication; 
Related controls: AC-17, AC-18

IA-5, Authenticator Management
Related controls: AC-2, IA-2, PL-4, PS-6; 
References:  OMB Memorandum 04-04; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78

IA-8, Identification and Authentication (Non-Organizational Users)
Related controls: AC-14, AC-17, AC-18, MA-4;
References:  OMB Memorandum 04-04; Web: www.cio.gov/eauthentication; NIST Special Publication 800-63

IR-3, Incident Response Testing and Exercises; 
Related control: AT-2; 
References:  NIST Special Publications 800-84, 800-115

IR-4, Incident Handling; 
Related controls: AU-6, CP-2, IR-2, IR-3, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7; 
References:  NIST Special Publication 800-61

PE-17, Alternate Work Site; 
References:  NIST Special Publication 800-46

MA-3, Maintenance Tools;
Related controls: MP-6; 
References:  NIST Special Publication 800-88

MA-4, Non-Local Maintenance;
Related Controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-8, MA-5, MP-6, SC-7);
References:  FIPS Publications 140-2, 197, 201; NIST Special Publications 800-63, 800-88; CNSS Policy 15

MA-6, Timely Maintenance; 
Related control: CP-2

MP-2, Media Access;  
Related controls: MP-4, PE-3; 
References:  FIPS Publication 199; NIST Special Publication 800-111

MP-4, Media Storage; 
Related controls: AC-3, AC-19, CP-6, CP-9, MP-2, PE-3; 
References:  FIPS Publication 199; NIST Special Publications 800-56, 800-57, 800-111

MP-6, Media Sanitization;
References:  FIPS Publication 199; NIST Special Publications 800-60, 800-88; (Web: https://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml

PM-1Information Security Program Plan; 
Related control: PM-8

PM-4Plan of Action and Milestones Process; 
Related control: CA-5; 
References:  OMB Memorandum 02-01; NIST Special Publication 800-37

RA-5, Vulnerability Scanning; 
Related controls: CA-2, CM-6, RA-3, SI-2; 
References:  NIST Special Publications 800-40, 800-70, 800-115; Web: cwe.mitre.org; nvd.nist.gov

SA-4, Acquisitions; 
References:  ISO/IEC 15408; FIPS 140-2; NIST Special Publications 800-23, 800-35, 800-36, 800-64, 800-70; Web: www.niap-ccevs.org)

SA-13, Trustworthiness; 
Related controls: RA-2, SA-4, SA-8, SC-3; 
References:  FIPS Publications 199, 200; NIST Special Publications 800-53, 800-53A, 800-60, 800-64

SC-2, Application Partitioning; 

SC-7, Boundary Protection; 
Related controls: AC-4, IR-4, SC-5; 
References:  FIPS Publication 199; NIST Special Publications 800-41, 800-77

SC-8, Transmission Integrity; 
Related controls: AC-17, PE-4;
References:  FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; NSTISSI No. 7003

SC-9, Transmission Confidentiality; 
Related controls: AC-17, PE-4; 
References:  FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-113; CNSS Policy 15; NSTISSI No. 7003

SC-17, Public Key Infrastructure Certificates
References:  OMB Memorandum 05-24; NIST Special Publications 800-32, 800-63

SC-18, Mobile Code; 
References:  NIST Special Publication 800-28; DOD Instruction 8552.01

SC-20, Secure Name /Address Resolution Service (Authoritative Source); 
References:  OMB Memorandum 08-23; NIST Special Publication 800-81

SC-21, Secure Name /Address Resolution Service (Recursive or Caching Resolver); 
References:  NIST Special Publication 800-81

SC-22, Architecture and Provisioning for Name/Address Resolution Service; 
References:  NIST Special Publication 800-81

SC-23, Session Authenticity; 
References:  NIST Special Publications 800-52, 800-77, 800-95

SC-28, Protection of Information at Rest; 
References:  NIST Special Publications 800-56, 800-57, 800-111

SI-2, Flaw Remediation; 
Related controls: CA-2, CA-7, CM-3, MA-2, IR-4, RA-5, SA-11, SI-11; 
References:  NIST Special Publication 800-40

SI-3, Malicious Code Protection; 
Related controls: SA-4, SA-8, SA-12, SA-13, SI-4, SI-7; 
References:  NIST Special Publication 800-83

SI-4, Information System Monitoring; 
Related controls: AC-4, AC-8, AC-17, AU-2, AU-6, SI-3, SI-7 
References:  NIST Special Publications 800-61, 800-83, 800-92, 800-94

SI-5, Security Alerts, Advisories, and Directives; 
References:  NIST Special Publication 800-40

SI-8, Spam Protection; 
Related controls: SC-5, SI-3; 
References:  NIST Special Publication 800-45

 


Information on these controls and guidance on possible implementations can be found in the following publications:

Special Publication (SP) 800-46 Rev. 1, Guide to Enterprise Telework and Remote Access Security

Special Publication (SP) 800-114, User's Guide to Securing External Devices for Telework and Remote Access

Special Publication (SP) 800-111, Guide to Storage Encryption Technologies for End User Devices

Special Publication (SP) 800-113, Guide to SSL VPNs

Special Publication (SP) 800-77, Guide to IPsec VPNs

Special Publication (SP) 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i

Special Publication (SP) 800-48 Rev. 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks

Special Publication (SP) 800-127, Guide to Securing WiMAX Wireless Communications

Special Publication (SP) 800-121 Rev. 1, Guide to Bluetooth Security

Special Publication (SP) 800-120, Recommendation for EAP Methods Used in Wireless Network Access Authentication


Special Publication (SP) 800-54, Border Gateway Protocol Security

Special Publication (SP) 800-81 Rev. 1, Secure Domain Name System (DNS) Deployment Guide

Special Publication (SP) 800-41 Rev. 1, Guidelines on Firewalls and Firewall Policy

Special Publication (SP) 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)

Special Publication (SP) 800-92, Guide to Computer Security Log Management

Draft Special Publication (SP) 800-120, Recommendation for EAP Methods Used in Wireless Network Access Authentication

Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

Special Publication (SP) 800-63 Rev. 2: E-Authentication Guideline

Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management

Special Publication (SP) 800-70 Rev. 2, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers

Special Publication (SP) 800-123, Guide to General Server Security

Special Publication (SP) 800-68, Guide to Securing Microsoft Windows XP Systems for IT Professionals

Special Publication (SP) 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist

Special Publication (SP) 800-124, Guidelines on Cell Phone and PDA Security

Special Publication (SP) 800-88 Rev. 1, Guidelines for Media Sanitization

Special Publication (SP) 800-41 Rev. 1, Guidelines on Firewalls and Firewall Policy

Special Publication (SP) 800-94, Guide to Intrusion Detection and Prevention Systems

Special Publication (SP) 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations

Special Publication (SP) 800-40 Version 2.0, Creating a Patch and Vulnerability Management Program

Special Publication (SP) 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0

Special Publication (SP) 800-115, Technical Guide to Information Security Testing and Assessment

Special Publication (SP) 800-28 Version 2, Guidelines on Active Content and Mobile Code

Special Publication (SP) 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations