How to Map NIST Cybersecurity Framework Controls

To work with the US government, organizations need to implement NIST frameworks like the CSF. NIST SP 800-53 maps CSF principles into executable controls, which then translate into requirements in other frameworks, like SP 800-171, that are required for specific contracts.

Need help mapping NIST Cybersecurity Framework Controls? Schedule a consultation today. 

 

NIST Cybersecurity Framework and SP 800-53

The National Institute of Standards and Technology (NIST) first published its Framework for Improving Critical Infrastructure Cybersecurity in 2014, with a major update (Version 1.1) in 2018. Version 2.0 is currently in production and expected in early 2024. Better known as the Cybersecurity Framework (CSF), it is a foundational text that sketches out the general NIST approach to cybersecurity. It also serves as the basis for all other NIST security frameworks.

Another foundational text in that respect is NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. SP 800-53 takes the general concepts and approaches in the CSF and translates them into specific controls. Understanding how to map CSF controls generally means mapping from SP 800-53 to another framework.

 

NIST SP 800-53 to NIST SP 800-171 Mapping

Organizations seeking contract work with the US government often come into contact with Controlled Unclassified Information (CUI). As such, they typically need to implement and assess controls from NIST SP 800-171, Protecting CUI in Nonfederal Systems and Organizations.

NIST SP 800-171 comprises 110 individual Requirements, organized across 14 Families. Some Requirements are Basic, covering fundamental, often simple protections. Others are Derived, prescribing specific and often complex safeguards against the most insidious threats to CUI.

All controls in this document are directly adapted from the SP 800-53 and NIST CSF frameworks. So, organizations that are familiar with SP 800-53 and have implemented its controls can follow SP 800-171’s guidance on mapping to streamline their assessments.

Below is a breakdown of each Requirement Family’s Basic and Derived requirements and how they map onto specific NIST SP 800-53 Controls, organized by their codenames in 800-171.

 

Request a Consultation

 

Mapping Access Control Requirements

Access Control (AC) is one of the largest Requirement Families in SP 800-171, concerning protections that limit and control users’ access to systems containing or connected to CUI.

There are two Basic AC Requirements, which map together collectively:

• 3.1.1 and 3.1.2 – Three distinct Controls from NIST SP 800-53:

• • AC-2, Account Management
  • AC-3, Access Enforcement
  • AC-17, Remote Access

In addition, there are 20 Derived AC Requirements, which map as follows:

• 3.1.3 – AC-4, Information Flow Enforcement

• 3.1.4 – AC-5, Separation of Duties

• 3.1.5 – AC-6, Least privilege, including the following sub-controls:

• AC-6(1), Authorize Access to Security Functions

• • • AC-6(5), Privileged Accounts

• 3.1.6 – AC-6(2), Non-Privileged Access for Nonsecurity Functions

• 3.1.7 – Two sub-controls under AC-6:

• • • AC-6(9), Log Use of Privileged Functions
    • AC-6(10), Prohibit Non-Privileged Users’ Executive Function Use

• 3.1.8 – AC-7, Unsuccessful Logon Attempts

• 3.1.9 – AC-8, System use Notification

• 3.1.10 – AC-11, Session Lock, including the following sub-control:

• • • AC-11(1), Pattern-Hiding Displays

• 3.1.11 – AC-12, Session Termination

• 3.1.12 – AC-17(1), Remote Access (Automated Monitoring or Control)

• 3.1.13 – AC-17(2), Remote Access (Protection on Integrity with Encryption)

• 3.1.14 – AC-17(3), Remote Access (Managed Access Control Points)

• 3.1.15 – AC-17(4), Remote Access (Privileged Commands or Access)

• 3.1.16 – AV-18, Wireless Access

• 3.1.17 – AC-18(1), Wireless Access (Authentication and Encryption)

• 3.1.18 – AC-19, Access Control for Mobile Devices

• 3.1.19 – AC-19(5), Access Control for Mobile Devices (Full-Device Encryption)

• 3.1.20 – AC-20, Use of External Systems, including the following sub-control:

• • • AC-20(1), Limits on Authorized Use

• 3.1.21 – AC-20(2), Use of External Systems (Portable Storage Devices)

• 3.1.22 – AC-22, Publicly Accessible Content

 

Mapping Awareness and Training Requirements

Awareness and Training (AT) Requirements govern how organizations should train their staff about CUI handling and safety. It comprises two Basic Requirements, which map together:

• 3.2.1 and 3.2.2 – Two distinct Controls from NIST SP 800-53:
  • AT-2, Security Awareness Training
  • AT-3, Role-Based Security Training

There is also one Enhanced AT Requirement, which maps as follows:

• 3.2.3 – AT-2(2), Security Awareness Training (Insider Threats)

 

Mapping Audit and Accountability Requirements

There are two Basic Audit and Accountability (AU) Requirements, which establish general standards for regular self-auditing and audit log protocols. These Requirements map together:

• 3.3.1 and 3.3.2 – Six distinct Controls from NIST SP 800-53:

• • AU-2, Event Logging
  • AU-3, Content of Audit Records
  • AU-3(1), Content of Audit Records (Additional Audit Information)
  • AU-6, Audit Record Review, Analysis, and Reporting
  • AU-11, Audit Record Retention
  • AU-12, Audit Record Generation

There are also seven Enhanced AU Requirements, which map as follows:

• 3.3.3 – AU-2(3), Event Logging (Review and Updates) 

• 3.3.4 – AU-5, Response to Audit Logging Failures
• 3.3.5 – AU-6(3), Audit Record Review, Analysis, and Reporting (Correlate Repositories)
• 3.3.6 – AU-7, Audit Record Reduction and Report Generation
• 3.3.7 – AU-8, Time Stamps, including the following sub-control:
  • AU-8(1), Synchronization with Authoritative Time Source
• 3.3.8 – AU-9, Protection of Audit Information
• 3.3.9 – AU-9, Protection of Audit Information (Access by Select Privileged Users)

 

Mapping Configuration Management Requirements

Configuration Management (CM) concerns the setup and ongoing maintenance of settings on software and hardware. There are two Basic CM Requirements, which map together:

• 3.4.1 and 3.4.2 – Four distinct Controls from NIST SP 800-53:

• • CM-2, Baseline Configuration
  • CM-6, Configuration Settings
  • CM-8, System Component Inventory
  • CM-8(1), System Component Inventory (Updates During Installations)

There are also seven Derived CM Requirements, which map as follows:

• 3.4.3 – CM-3, Configuration Change Control

• 3.4.4 – CM-4, Security Impact Analysis
• 3.4.5 – CM-5, Access Restrictions for Changes
• 3.4.6 – CM-7, Least Functionality
• 3.4.7 – Two sub-controls within CM-7, Least Functionality:
  • CM-7(1), Periodic Review
  • CM-7(2), Prevent Program Execution
• 3.4.8 – Two sub-controls within CM-7, Least Functionality:
  • CM-7(4), Unauthorized Software or Blacklisting
  • CM-7(5), Authorized Software or Whitelisting
• 3.4.9 – CM-11, User-Installed Software

Mapping Identification and Authentication Requirements

Identification and Authentication (IA), like AC, governs practices for ensuring that users who can access sensitive data are who they say they are and have the appropriate authority to do so.

The two Basic IA Requirements map together:

• 3.5.1 and 3.5.2 – Three distinct Controls from NIST SP 800-53:

• • IA-2, Organizational User Identification / Authorization:
  • IA-3, Device Identification and Authentication
  • IA-5, Authenticator Management

And there are nine Derived IA Requirements, which map as follows:

• 3.5.3 – Three sub-controls within IA-2, Organizational User Identification / Authorization:

• • IA-2(1), Network Access to Privileged Accounts
  • IA-2(2), Network Access to Non-Privileged Accounts
  • IA-2(3), Local Access to Privileged Accounts
• 3.5.4 – Two sub-controls within IA-2, Organizational User Identification / Authorization:
  • IA-2(8), Replay-resistant Network Access to Privileged Accounts
  • IA-2(9), Replay-resistant Network Access to Non-privileged Accounts
• 3.5.5 and 3.5.6 – IA-4, Identifier Management
• 3.5.7, 3.5.8, 3.5.9, and 3.5.10 – IA-5(1), Authenticator Management (Password-based)
• 3.5.11 – IA-6, Authenticator Feedback

NOTE: Control IA-2(8) was recently added to the SP 800-53 framework. Organizations that implemented SP 800-53 controls prior to 2020 may not have its protections accounted for.

 

Mapping Incident Response Requirements

Incident Response (IR) governs how organizations should respond to events such as attacks or data breaches impacting CUI. There are two Basic IR Requirements, which map together:

• 3.6.1 and 3.6.2 – Five distinct Controls from NIST SP 800-53:

• • IR-2, Incident Response Training
  • IR-4, Incident Handling
  • IR-5, Incident Monitoring
  • IR-6, Incident Reporting
  • IR-7, Incident Response Assistance

There is also just one Derived IR Requirement, which maps as follows:

• 3.6.3 – Incident Response Testing

 

Mapping Maintenance Requirements

Maintenance (MA) concerns the long-term management of software and hardware that process CUI. As with all other Families, the two Basic MA Requirements map together:

• 3.7.1 and 3.7.2 – Four distinct Controls from NIST SP 800-53:

• • MA-2, Controlled Maintenance
  • MA-3, Maintenance Tools
  • MA-3(1), Maintenance Tools (Inspect Tools)
  • MA-3(2), Maintenance Tools (Inspect Media)

And the four Derived MA Requirements map as follows:

• 3.7.3 – MA-2, Controlled Maintenance

• 3.7.4 – MA-3(2), MA-3(2), Maintenance Tools (Inspect Media)
• 3.7.5 – MA-4, Nonlocal Maintenance
• 3.7.6 – MA-5, Maintenance Personnel

Mapping Media Protection Requirements

Media Protection (MP) dictates protections for any media that can access, store, or otherwise come into contact with CUI. It comprises three Basic Requirements, which map together:

• 3.8.1, 3.8.2, and 3.8.3 – Three distinct Controls from NIST SP 800-53:

• • MP-2, Media Access
  • MP-4, Media Storage
  • MP-6, Media Sanitization

There are also six Derived MP Requirements, which map as follows:

• 3.8.4 – MP-3, Media Marking

• 3.8.5 – MP-5, Media Transport
• 3.8.6 – MP-5(4), Media Transport (Cryptographic Protection)
• 3.8.7 – MP-7, Media Use
• 3.8.8 – MP-7(1), Media Use (Prohibit Use Without Owner)
• 3.8.9 – CP-9, System Backup

 

Mapping Personnel Security Requirements

Personnel Security (PS) governs secure recruitment, hiring, lifecycle management, and termination of staff across two Basic Requirements, which map together as follows:

• 3.9.1 and 3.9.2 – Three distinct Controls from NIST SP 800-53:

• • PS-3, Personnel Screening
  • PS-4, Personnel Termination
  • PS-5, Personnel Transfer

There are no Derived PS requirements in NIST SP 800-171.

 

Mapping Physical Protection Requirements

Physical Protection (PE) ensures that hardware and environments in which CUI is stored or can be accessed are secure. There are two Basic PE Requirements, which map together:

• 3.10.1 and 3.10.2 – Four distinct Controls from NIST SP 800-53:

• • PE-2, Physical Access Authorizations
  • PE-4, Access Control for Transmission Medium
  • PE-5, Access Control for Output Devices
  • PE-6, Monitoring Physical Access

There are also four Derived PE Requirements, which map as follows:

• 3.10.3, 3.10.4, and 3.10.5 – PE-3, Physical Access Control
• 3.10.6 – PE-17, Alternate Work Site

 

Mapping Risk Assessment Requirements

Risk Assessment (RA) concerns how an organization should monitor for, identify, analyze, and mitigate risks to CUI before they become full-fledged cyber attacks or other security events.

There is one Basic RA Requirement, which maps to one Control:

• 3.11.1 – RA-3, Risk Assessment

There are also two Derived RA Requirements, which map in these ways:

• • 3.11.2 – RA-5, Vulnerability Scanning, including the following sub-control:
    • RA-5(5), Privileged Access

• 3.11.3 – RA-5, Vulnerability Scanning

 

Mapping Security Assessment Requirements

Security Assessment (CA) governs procedures for testing the functionality and efficacy of organizational security systems. There are four Basic CA Requirements, which map together:

• 3.12.1, 3.12.2, 3.12.3, and 3.12.4 – Three distinct Controls from NIST SP 800-53:

• • CA-2, Security Assessments
  • CA-5, Plan of Action and Milestones
  • CA-7,  Continuous Monitoring
  • PL-2, System Security Plan

There are no Derived CA Requirements in SP 800-171.

 

Mapping System and Communications Protection Requirements

System and Communications Protection (SC) prescribes safeguards for communications over secure and unknown or unsecured networks. The two Basic SC Requirements map together:

• 3.13.1 and 3.13.2 – Two distinct Controls from NIST SP 800-53:

• • SC-7, Boundary Protections
  • SA-8, Security Engineering Principles

There are also 14 Derived SC Requirements, which map as follows:

• 3.13.3 – SC-2, Application Partitioning

• 3.13.4 – SC-4, Information in Shared Resources
• 3.13.5 – SC-7, Boundary Protections
• 3.13.6 – SC-7(5), Boundary Protections (Deny by Default or Allow by Exception)
• 3.13.7 – SC-7(7), Boundary Protections (Prevent Split Tunneling for Remote Devices)
• 3.13.8 – SC-8, Transmission Confidentiality and Integrity, including one sub-control:
  • SC-8(1), Cryptographic or Alternate Physical Protections
• 3.13.9 – SC-10, Network Disconnection
• 3.13.10 – SC-12, Cryptographic Key Establishment and Management
• 3.13.11 – SC-13, Cryptographic Protection
• 3.13.12 – SC-15, Collaborative Computing Devices
• 3.13.13 – SC-18, Mobile Code
• 3.13.14 – SC-19, Voice over Internet Protocol
• 3.13.15 – SC-23, Session Authenticity
• 3.13.16 – SC-28, Protection of Information at Rest

 

Mapping System and Information Integrity Requirements

Finally, System and Information Integrity (SI) works alongside CA Requirements to ensure that an organization’s protection systems are functioning as designed and data retains its integrity.

There are three Basic SI Requirements, which map together:

• 3.14.1, 3.14.2, and 3.14.3 – Three distinct Controls from NIST SP 800-53:
  • SI-2, Flaw Remediation
  • SI-3, Malicious Code Protection
  • SI-5, Security Alerts, Advisories, and Directives

There are also four Derived SI Requirements, which map as follows:

• 3.14.4 and 3.14.5 – SI-3, Malicious Code Protection
• 3.14.6 – SI-4, System Monitoring, including the following sub-control:
  • SI-4(4), Inbound and Outbound Communications Traffic
• 3.14.7 – SI-4, System Monitoring

 

Preparing for CMMC and DoD Compliance

Organizations seeking contracts with the Department of Defense (DoD) in particular need to do more than just map controls between publications like NIST cybersecurity framework, 800-53, and 800-171. They need to achieve Cybersecurity Maturity Model Certification (CMMC) up to the Level designated on their contract by implementing practices and then assessing them.

The first two Levels of CMMC require implementing practices adapted from SP 800-171:

• CMMC Level 1: “Foundational” – Organizations implement 15 practices adapted from 800-171 and must conduct annual self-assessments to verify their security maturity.
• CMMC Level 2: “Advanced” – Organizations implement 110 practices covering all of 800-171 and conduct triennial third-party assessments (or self-led, in some cases).

CMMC Level 3, “Expert,” will require implementing an unknown number of practices adapted from NIST SP 800-172. That framework builds on the Requirements from 800-171 and adds a total of 35 Enhanced Requirements across a selection of Families. Level 3 organizations will also require triennial, government-led assessments to achieve and maintain certification.

Working with a CMMC advisor is the best way to prepare for and achieve certification.

 

Optimize Your Cybersecurity Implementation

Mapping NIST CSF controls typically involves adapting safeguards prescribed in SP 800-53 to meet the requirements of other frameworks. One of the most widely applicable is 800-171, which covers all organizations that come into contact with CUI. All of its Requirements are mappable to 800-53 Controls, streamlining assessments for DoD and other compliance.

RSI Security helps organizations prepare for DoD and governmental compliance with strategy, initial implementation, mapping, and assessment of cybersecurity infrastructure. We believe that discipline creates freedom, and the right way is the only way to keep your sensitive data safe.

For further assistance mapping controls from the NIST cybersecurity framework, SP 800-53, or other safeguards for SP 800-171 or CMMC implementation, contact RSI Security today!

 

 
 

Download Our Comprehensive Guide to NIST Implementation