Supporting NIST 800-53 Security Controls and Publications

The major controls in the NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems control catalog that impact telework are:

AC-4, Information Flow Enforcement;
Related controls: AC-17, AC-19, AC-21, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18

AC-17, Remote Access;
Related controls: AC-3, AC-18, AC-20, IA-2, IA-3, IA-8, MA-4;
References: NIST Special Publications 800-46, 800-77, 800-113, 800-114, 800-121

AC-18, Wireless Access;
Related controls: AC-3, IA-2, IA-3, IA-8);
References: NIST Special Publications 800-48, 800-94, 800-97

AC-19, Access Control for Mobile Devices;
Related controls: MP-4, MP-5;
References: NIST Special Publications 800-114, 800-124

AC-21, User-Based Collaboration and Information Sharing;
Related control: AC-3

CA-2, Security Assessments;
Related controls: CA-6, CA-7, PM-9, SA-11;
References: FIPS Publication 199; NIST Special Publications 800-37, 800-53A, 800-115

CA-5, Plan of Action and Milestones;
Related control: PM-4;
References: OMB Memorandum 02-01; NIST Special Publication 800-37

CA-6, Security Authorization;
Related controls: CA-2, CA-7, PM-9, PM-10;
References: OMB Circular A-130; NIST Special Publication 800-37

CA-7, Continuous Monitoring;
Related controls: CA-2, CA-5, CA-6, CM-3, CM-4;
References: NIST Special Publications 800-37, 800-53A; US-CERT Technical Cyber Security Alerts; DOD Information Assurance Vulnerability Alerts

CM-6,Configuration Settings;
Related controls: CM-2, CM-3, SI-4;
References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: nvd.nist.gov; www.nsa.gov)

CM-7, Least Functionality;
Related controls: RA-5;

AU-2, Auditable Events;
Related control: AU-3;
References: NIST Special Publications 800-92; Web: CSRC.NIST.GOV/PCIG/CIG.HTML

IA-1, Identification and Authentication Policy and Procedures;
Related control: PM-9;
References: FIPS Publication 201; NIST Special Publications 800-12, 800-63, 800-73, 800-76, 800-78, 800-100

IA-2, Identification and Authentication (Organizational Users);
Related controls: AC-14, AC-17, AC-18, IA-4, IA-5;
References: HSPD 12; OMB Memorandum 04-04; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78

IA-3, Device Identification and Authentication;
Related controls: AC-17, AC-18

IA-5, Authenticator Management;
Related controls: AC-2, IA-2, PL-4, PS-6;
References: OMB Memorandum 04-04; FIPS Publication 201; NIST Special Publications 800-73, 800-63, 800-76, 800-78

IA-8, Identification and Authentication (Non-Organizational Users);
Related controls: AC-14, AC-17, AC-18, MA-4;
References: OMB Memorandum 04-04; Web: www.cio.gov/eauthentication; NIST Special Publication 800-63

IR-3, Incident Response Testing and Exercises;
Related control: AT-2;
References: NIST Special Publications 800-84, 800-115

IR-4, Incident Handling;
Related controls: AU-6, CP-2, IR-2, IR-3, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7;
References: NIST Special Publication 800-61

PE-17, Alternate Work Site;
References: NIST Special Publication 800-46

MA-3, Maintenance Tools;
Related controls: MP-6;
References: NIST Special Publication 800-88

MA-4, Non-Local Maintenance;
Related Controls: AC-2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-8, MA-5, MP-6, SC-7);
References: FIPS Publications 140-2, 197, 201; NIST Special Publications 800-63, 800-88; CNSS Policy 15

MA-6, Timely Maintenance;
Related control: CP-2

MP-2, Media Access;
Related controls: MP-4, PE-3;
References: FIPS Publication 199; NIST Special Publication 800-111

MP-4, Media Storage;
Related controls: AC-3, AC-19, CP-6, CP-9, MP-2, PE-3;
References: FIPS Publication 199; NIST Special Publications 800-56, 800-57, 800-111

MP-6, Media Sanitization;
References: FIPS Publication 199; NIST Special Publications 800-60, 800-88; Web: www.nsa.gov/ia/guidance/media_destruction_guidance/index.shtml)

PM-1, Information Security Program Plan;
Related control: PM-8

PM-4, Plan of Action and Milestones Process;
Related control: CA-5;
References: OMB Memorandum 02-01; NIST Special Publication 800-37

RA-5, Vulnerability Scanning;
Related controls: CA-2, CM-6, RA-3, SI-2;
References: NIST Special Publications 800-40, 800-70, 800-115; Web: cwe.mitre.org; nvd.nist.gov

SA-4, Acquisitions;
References: ISO/IEC 15408; FIPS 140-2; NIST Special Publications 800-23, 800-35, 800-36, 800-64, 800-70; Web: www.niap-ccevs.org)

SA-13, Trustworthiness;
Related controls: RA-2, SA-4, SA-8, SC-3;
References: FIPS Publications 199, 200; NIST Special Publications 800-53, 800-53A, 800-60, 800-64

SC-2, Application Partitioning;

SC-7, Boundary Protection;
Related controls: AC-4, IR-4, SC-5;
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77

SC-8, Transmission Integrity;
Related controls: AC-17, PE-4;
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-81, 800-113; NSTISSI No. 7003

SC-9, Transmission Confidentiality;
Related controls: AC-17, PE-4;
References: FIPS Publications 140-2, 197; NIST Special Publications 800-52, 800-77, 800-113; CNSS Policy 15; NSTISSI No. 7003

SC-17, Public Key Infrastructure Certificates;
References: OMB Memorandum 05-24; NIST Special Publications 800-32, 800-63

SC-18, Mobile Code;
References: NIST Special Publication 800-28; DOD Instruction 8552.01

SC-20, Secure Name /Address Resolution Service (Authoritative Source);
References: OMB Memorandum 08-23; NIST Special Publication 800-81

SC-21, Secure Name /Address Resolution Service (Recursive or Caching Resolver);
References: NIST Special Publication 800-81

SC-22, Architecture and Provisioning for Name/Address Resolution Service;
References: NIST Special Publication 800-81

SC-23, Session Authenticity;
References: NIST Special Publications 800-52, 800-77, 800-95

SC-28, Protection of Information at Rest;
References: NIST Special Publications 800-56, 800-57, 800-111

SI-2, Flaw Remediation;
Related controls: CA-2, CA-7, CM-3, MA-2, IR-4, RA-5, SA-11, SI-11;
References: NIST Special Publication 800-40

SI-3, Malicious Code Protection;
Related controls: SA-4, SA-8, SA-12, SA-13, SI-4, SI-7;
References: NIST Special Publication 800-83

SI-4, Information System Monitoring;
Related controls: AC-4, AC-8, AC-17, AU-2, AU-6, SI-3, SI-7
References: NIST Special Publications 800-61, 800-83, 800-92, 800-94

SI-5, Security Alerts, Advisories, and Directives;
References: NIST Special Publication 800-40

SI-8, Spam Protection;
Related controls: SC-5, SI-3;
References: NIST Special Publication 800-45

Information on these controls and guidance on possible implementations can be found in the following publications:

Special Publication (SP) 800-46 Rev. 1, Guide to Enterprise Telework and Remote Access Security

Special Publication (SP) 800-114, User's Guide to Securing External Devices for Telework and Remote Access

Special Publication (SP) 800-111, Guide to Storage Encryption Technologies for End User Devices