1. Map the Council on CyberSecurity's Critical Security Controls (CSC) v5.0 to NIST SP 800‐53 Revision 4
REC# CSC# CTRL-ID NIST SP 800-53 REVISION 4
1 1 CM - 0 8 INFORMATION SYSTEM COMPONENT INVENTORY
2 1 I A - 0 3 DEVICE IDENTIFICATION AND AUTHENTICATION
3 1 PM - 0 5 INFORMATION SYSTEM INVENTORY
4 1 CA - 0 7 CONTINUOUS MONITORING
5 1 S I - 0 4 INFORMATION SYSTEM MONITORING
6 1 SA - 0 4 ACQUISITION PROCESS
7 1 SA - 1 7 DEVELOPER SECURITY ARCHITECTURE AND DESIGN
8 2 CM - 0 2 BASELINE CONFIGURATION
9 2 CM - 0 8 INFORMATION SYSTEM COMPONENT INVENTORY
10 2 CM - 1 0 SOFTWARE USAGE RESTRICTIONS
11 2 CM - 1 1 USER-INSTALLED SOFTWARE
12 2 PM - 0 5 INFORMATION SYSTEM INVENTORY
13 2 CA - 0 7 CONTINUOUS MONITORING
14 2 SC - 1 8 MOBILE CODE
15 2 SC - 3 4 NON-MODIFIABLE EXECUTABLE PROGRAMS
16 2 S I - 0 4 INFORMATION SYSTEM MONITORING
17 2 SA - 0 4 ACQUISITION PROCESS
18 3 CM - 0 2 BASELINE CONFIGURATION
19 3 CM - 0 3 CONFIGURATION CHANGE CONTROL
20 3 CM - 0 5 ACCESS RESTRICTIONS FOR CHANGE
21 3 CM - 0 6 CONFIGURATION SETTINGS
22 3 CM - 0 7 LEAST FUNCTIONALITY
23 3 CM - 0 8 INFORMATION SYSTEM COMPONENT INVENTORY
24 3 CM - 0 9 CONFIGURATION MANAGEMENT PLAN
25 3 CM - 1 1 USER-INSTALLED SOFTWARE
26 3 MA - 0 4 NONLOCAL MAINTENANCE
27 3 RA - 0 5 VULNERABILITY SCANNING
28 3 CA - 0 7 CONTINUOUS MONITORING
29 3 SC - 1 5 COLLABORATIVE COMPUTING DEVICES
30 3 SC - 3 4 NON-MODIFIABLE EXECUTABLE PROGRAMS
31 3 S I - 0 2 FLAW REMEDIATION
32 3 S I - 0 4 INFORMATION SYSTEM MONITORING
33 3 SA - 0 4 ACQUISITION PROCESS
34 4 RA - 0 5 VULNERABILITY SCANNING
35 4 CA - 0 2 SECURITY ASSESSMENTS
36 4 CA - 0 7 CONTINUOUS MONITORING
37 4 SC - 3 4 NON-MODIFIABLE EXECUTABLE PROGRAMS
38 4 S I - 0 4 INFORMATION SYSTEM MONITORING
39 4 S I - 0 7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
The Council on Cybersecurity Page 1 of 6 The Council on CyberSecurity
2. Map the Council on CyberSecurity's Critical Security Controls (CSC) v5.0 to NIST SP 800‐53 Revision 4
REC# CSC# CTRL-ID NIST SP 800-53 REVISION 4
40 5 CA - 0 7 CONTINUOUS MONITORING
41 5 SC - 3 9 PROCESS ISOLATION
42 5 SC - 4 4 DETONATION CHAMBERS
43 5 S I - 0 3 MALICIOUS CODE PROTECTION
44 5 S I - 0 4 INFORMATION SYSTEM MONITORING
45 5 S I - 0 8 SPAM PROTECTION
46 6 RA - 0 5 VULNERABILITY SCANNING
47 6 SC - 3 9 PROCESS ISOLATION
48 6 S I - 1 0 INFORMATION INPUT VALIDATION
49 6 S I - 1 1 ERROR HANDLING
50 6 S I - 1 5 INFORMATION OUTPUT FILTERING
51 6 S I - 1 6 MEMORY PROTECTION
52 6 SA - 0 3 SYSTEM DEVELOPMENT LIFE CYCLE
53 6 SA - 1 0 DEVELOPER CONFIGURATION MANAGEMENT
54 6 SA - 1 1 DEVELOPER SECURITY TESTING AND EVALUATION
55 6 SA - 1 3 TRUSTWORTHINESS
56 6 SA - 1 5 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS
57 6 SA - 1 6 DEVELOPER-PROVIDED TRAINING
58 6 SA - 1 7 DEVELOPER SECURITY ARCHITECTURE AND DESIGN
59 6 SA - 2 0 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS
60 6 SA - 2 1 DEVELOPER SCREENING
61 7 AC - 1 8 WIRELESS ACCESS
62 7 AC - 1 9 ACCESS CONTROL FOR MOBILE DEVICES
63 7 CM - 0 2 BASELINE CONFIGURATION
64 7 I A - 0 3 DEVICE IDENTIFICATION AND AUTHENTICATION
65 7 CA - 0 3 SYSTEM INTERCONNECTIONS
66 7 CA - 0 7 CONTINUOUS MONITORING
67 7 SC - 0 8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
68 7 SC - 1 7 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
69 7 SC - 4 0 WIRELESS LINK PROTECTION
70 7 S I - 0 4 INFORMATION SYSTEM MONITORING
71 8 CP - 0 9 INFORMATION SYSTEM BACKUP
72 8 CP - 1 0 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
73 8 MP - 0 4 MEDIA STORAGE
The Council on Cybersecurity Page 2 of 6 The Council on CyberSecurity
3. Map the Council on CyberSecurity's Critical Security Controls (CSC) v5.0 to NIST SP 800‐53 Revision 4
REC# CSC# CTRL-ID NIST SP 800-53 REVISION 4
74 9 AT - 0 1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES
75 9 AT - 0 2 SECURITY AWARENESS TRAINING
76 9 AT - 0 3 ROLE-BASED SECURITY TRAINING
77 9 AT - 0 4 SECURITY TRAINING RECORDS
78 9 PM - 1 3 INFORMATION SECURITY WORKFORCE
79 9 PM - 1 4 TESTING, TRAINING, AND MONITORING
80 9 PM - 1 6 THREAT AWARENESS PROGRAM
81 9 SA - 1 1 DEVELOPER SECURITY TESTING AND EVALUATION
82 9 SA - 1 6 DEVELOPER-PROVIDED TRAINING
83 10 AC - 0 4 INFORMATION FLOW ENFORCEMENT
84 10 CM - 0 2 BASELINE CONFIGURATION
85 10 CM - 0 3 CONFIGURATION CHANGE CONTROL
86 10 CM - 0 5 ACCESS RESTRICTIONS FOR CHANGE
87 10 CM - 0 6 CONFIGURATION SETTINGS
88 10 CM - 0 8 INFORMATION SYSTEM COMPONENT INVENTORY
89 10 MA - 0 4 NONLOCAL MAINTENANCE
90 10 CA - 0 3 SYSTEM INTERCONNECTIONS
91 10 CA - 0 7 CONTINUOUS MONITORING
92 10 CA - 0 9 INTERNAL SYSTEM CONNECTIONS
93 10 SC - 2 4 FAIL IN KNOWN STATE
94 10 S I - 0 4 INFORMATION SYSTEM MONITORING
95 11 AC - 0 4 INFORMATION FLOW ENFORCEMENT
96 11 CM - 0 2 BASELINE CONFIGURATION
97 11 CM - 0 6 CONFIGURATION SETTINGS
98 11 CM - 0 8 INFORMATION SYSTEM COMPONENT INVENTORY
99 11 CA - 0 7 CONTINUOUS MONITORING
100 11 CA - 0 9 INTERNAL SYSTEM CONNECTIONS
101 11 SC - 2 0 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
102 11 SC - 2 1 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
103 11 SC - 2 2 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE
104 11 SC - 4 1 PORT AND I/O DEVICE ACCESS
105 11 S I - 0 4 INFORMATION SYSTEM MONITORING
The Council on Cybersecurity Page 3 of 6 The Council on CyberSecurity
4. Map the Council on CyberSecurity's Critical Security Controls (CSC) v5.0 to NIST SP 800‐53 Revision 4
REC# CSC# CTRL-ID NIST SP 800-53 REVISION 4
106 12 AC - 0 2 ACCOUNT MANAGEMENT
107 12 AC - 0 6 LEAST PRIVILEGE
108 12 AC - 1 7 REMOTE ACCESS
109 12 AC - 1 9 ACCESS CONTROL FOR MOBILE DEVICES
110 12 I A - 0 2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
111 12 I A - 0 4 IDENTIFIER MANAGEMENT
112 12 I A - 0 5 AUTHENTICATOR MANAGEMENT
113 12 CA - 0 7 CONTINUOUS MONITORING
114 12 S I - 0 4 INFORMATION SYSTEM MONITORING
115 13 AC - 0 4 INFORMATION FLOW ENFORCEMENT
116 13 AC - 1 7 REMOTE ACCESS
117 13 AC - 2 0 USE OF EXTERNAL INFORMATION SYSTEMS
118 13 CM - 0 2 BASELINE CONFIGURATION
119 13 CA - 0 3 SYSTEM INTERCONNECTIONS
120 13 CA - 0 7 CONTINUOUS MONITORING
121 13 CA - 0 9 INTERNAL SYSTEM CONNECTIONS
122 13 SC - 0 7 BOUNDARY PROTECTION
123 13 SC - 0 8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
124 13 S I - 0 4 INFORMATION SYSTEM MONITORING
125 13 SA - 0 9 EXTERNAL INFORMATION SYSTEM SERVICES
126 14 AC - 2 3 DATA MINING PROTECTION
127 14 AU - 0 2 AUDIT EVENTS
128 14 AU - 0 3 CONTENT OF AUDIT RECORDS
129 14 AU - 0 4 AUDIT STORAGE CAPACITY
130 14 AU - 0 5 RESPONSE TO AUDIT PROCESSING FAILURES
131 14 AU - 0 6 AUDIT REVIEW, ANALYSIS, AND REPORTING
132 14 AU - 0 7 AUDIT REDUCTION AND REPORT GENERATION
133 14 AU - 0 8 TIME STAMPS
134 14 AU - 0 9 PROTECTION OF AUDIT INFORMATION
135 14 AU - 1 0 NON-REPUDIATION
136 14 AU - 1 1 AUDIT RECORD RETENTION
137 14 AU - 1 2 AUDIT GENERATION
138 14 AU - 1 3 MONITORING FOR INFORMATION DISCLOSURE
139 14 AU - 1 4 SESSION AUDIT
140 14 I A - 1 0 ADAPTIVE IDENTIFICATION AND AUTHENTICATION
141 14 CA - 0 7 CONTINUOUS MONITORING
142 14 S I - 0 4 INFORMATION SYSTEM MONITORING
The Council on Cybersecurity Page 4 of 6 The Council on CyberSecurity
5. Map the Council on CyberSecurity's Critical Security Controls (CSC) v5.0 to NIST SP 800‐53 Revision 4
REC# CSC# CTRL-ID NIST SP 800-53 REVISION 4
143 15 AC - 0 1 ACCESS CONTROL POLICY AND PROCEDURES
144 15 AC - 0 2 ACCOUNT MANAGEMENT
145 15 AC - 0 3 ACCESS ENFORCEMENT
146 15 AC - 0 6 LEAST PRIVILEGE
147 15 AC - 2 4 ACCESS CONTROL DECISIONS
148 15 MP - 0 3 MEDIA MARKING
149 15 RA - 0 2 SECURITY CATEGORIZATION
150 15 CA - 0 7 CONTINUOUS MONITORING
151 15 SC - 1 6 TRANSMISSION OF SECURITY ATTRIBUTES
152 15 S I - 0 4 INFORMATION SYSTEM MONITORING
153 16 AC - 0 2 ACCOUNT MANAGEMENT
154 16 AC - 0 3 ACCESS ENFORCEMENT
155 16 AC - 0 7 UNSUCCESSFUL LOGON ATTEMPTS
156 16 AC - 1 1 SESSION LOCK
157 16 AC - 1 2 SESSION TERMINATION
158 16 I A - 0 5 AUTHENTICATOR MANAGEMENT
159 16 I A - 1 0 ADAPTIVE IDENTIFICATION AND AUTHENTICATION
160 16 CA - 0 7 CONTINUOUS MONITORING
161 16 SC - 1 7 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
162 16 SC - 2 3 SESSION AUTHENTICITY
163 16 S I - 0 4 INFORMATION SYSTEM MONITORING
164 17 AC - 0 3 ACCESS ENFORCEMENT
165 17 AC - 0 4 INFORMATION FLOW ENFORCEMENT
166 17 AC - 2 3 DATA MINING PROTECTION
167 17 I R - 0 9 INFORMATION SPILLAGE RESPONSE
168 17 MP - 0 5 MEDIA TRANSPORT
169 17 CA - 0 7 CONTINUOUS MONITORING
170 17 CA - 0 9 INTERNAL SYSTEM CONNECTIONS
171 17 SC - 0 8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
172 17 SC - 2 8 PROTECTION OF INFORMATION AT REST
173 17 SC - 3 1 COVERT CHANNEL ANALYSIS
174 17 SC - 4 1 PORT AND I/O DEVICE ACCESS
175 17 S I - 0 4 INFORMATION SYSTEM MONITORING
176 17 SA - 1 8 TAMPER RESISTANCE AND DETECTION
The Council on Cybersecurity Page 5 of 6 The Council on CyberSecurity
6. Map the Council on CyberSecurity's Critical Security Controls (CSC) v5.0 to NIST SP 800‐53 Revision 4
REC# CSC# CTRL-ID NIST SP 800-53 REVISION 4
177 18 I R - 0 1 INCIDENT RESPONSE POLICY AND PROCEDURES
178 18 I R - 0 2 INCIDENT RESPONSE TRAINING
179 18 I R - 0 3 INCIDENT RESPONSE TESTING
180 18 I R - 0 4 INCIDENT HANDLING
181 18 I R - 0 5 INCIDENT MONITORING
182 18 I R - 0 6 INCIDENT REPORTING
183 18 I R - 0 7 INCIDENT RESPONSE ASSISTANCE
184 18 I R - 0 8 INCIDENT RESPONSE PLAN
185 18 I R - 1 0 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM
186 19 AC - 0 4 INFORMATION FLOW ENFORCEMENT
187 19 CA - 0 3 SYSTEM INTERCONNECTIONS
188 19 CA - 0 9 INTERNAL SYSTEM CONNECTIONS
189 19 SC - 2 0 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
190 19 SC - 2 1 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
191 19 SC - 2 2 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE
192 19 SC - 3 2 INFORMATION SYSTEM PARTITIONING
193 19 SC - 3 7 OUT-OF-BAND CHANNELS
194 19 SA - 0 8 SECURITY ENGINEERING PRINCIPLES
195 20 PM - 0 6 INFORMATION SECURITY MEASURES OF PERFORMANCE
196 20 PM - 1 4 TESTING, TRAINING, AND MONITORING
197 20 PM - 1 6 THREAT AWARENESS PROGRAM
198 20 RA - 0 6 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY
199 20 CA - 0 2 SECURITY ASSESSMENTS
200 20 CA - 0 5 PLAN OF ACTION AND MILESTONES
201 20 CA - 0 6 SECURITY AUTHORIZATION
202 20 CA - 0 8 PENETRATION TESTING
203 20 S I - 0 6 SECURITY FUNCTION VERIFICATION
The Council on Cybersecurity Page 6 of 6 The Council on CyberSecurity