Skip to content
Documentation
ADRs
PLATFORM
Relevant NIST Controls

Relevant NIST Controls

Andi Lamprecht Andi Lamprecht ·· 5 min read· Accepted
ADR-0060 · Author: Sybil Melton · Date: 2025-02-07 · Products: platform
Originally 0012_relevant-nist-controls (v6) · Source on Confluence ↗
Security FunctionControlNIST 800-53 Control
DETECT
PROTECT		DATA MINING PROTECTIONAC-23Employ data mining prevention and detection techniques for data storage objects to detect and protect against unauthorized data mining.
  • Data mining is an analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery.
  • Data mining protection requires organizations to identify appropriate techniques to prevent and detect unnecessary or unauthorized data mining.
AUDITCONTINUOUS MONITORING

AUTOMATION SUPPORT FOR MONITORING		CA-7(6)Ensure the accuracy, currency, and availability of monitoring results for the system
  • Using automated tools for monitoring helps to maintain the accuracy, currency, and availability of monitoring information which in turns helps to increase the level of ongoing awareness of the system security and privacy posture in support of organizational risk management decisions.
AUDITSYSTEM COMPONENT INVENTORYCM-8
  1. Develop and document an inventory of system components that:
    • Accurately reflects the system;
    • Includes all components within the system;
    • Does not include duplicate accounting of components or components assigned to any other system;
    • Is at the level of granularity deemed necessary for tracking and reporting;
    • Includes the information deemed necessary to achieve effective system component accountability;
  2. Review and update the system component inventory
PLANSECURITY AND PRIVACY ARCHITECTURES

DEFENSE IN DEPTH
SUPPLIER DIVERSITY		PL-8(1)
PL-8(2)
  1. Strategically allocate security and privacy controls in the security and privacy architectures so that adversaries must overcome multiple controls to achieve their objective.
    • Requiring adversaries to defeat multiple controls makes it more difficult to attack information resources by increasing the work factor of the adversary;
    • it also increases the likelihood of detection.
  2. Information technology products have different strengths and weaknesses. Providing a broad spectrum of products complements the individual offerings.
    • For example, vendors offering malicious code protection typically update their products at different times, often developing solutions for known viruses, Trojans, or worms based on their priorities and development schedules.
    • By deploying different products at different locations, there is an increased likelihood that at least one of the products will detect the malicious code.
    • With respect to privacy, vendors may offer products that track personally identifiable information in systems. Products may use different tracking methods. Using multiple products may result in more assurance that personally identifiable information is inventoried.
DETECT
PROTECT		VULNERABILITY MONITORING AND SCANNING

DISCOVERABLE INFORMATION
REVIEW HISTORIC AUDIT LOGS
CORRELATE SCANNING INFORMATION		RA-5
RA-5(4)
RA-5(8)
RA-5(10)
  1. Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported;
  2. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
    • Enumerating platforms, software flaws, and improper configurations;
    • Formatting checklists and test procedures; and
    • Measuring vulnerability impact;
  3. Analyze vulnerability scan reports and results from vulnerability monitoring;
  4. Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;
  5. Share information obtained from the vulnerability monitoring process and control assessments to help eliminate similar vulnerabilities in other systems; and
  6. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
DETECTTHREAT HUNTINGRA-10
  1. Establish and maintain a cyber threat hunting capability to:
    • Search for indicators of compromise in organizational systems; and
    • Detect, track, and disrupt threats that evade existing controls; and
  2. Employ the threat hunting capability
DETECT
PROTECT		MALICIOUS CODE PROTECTIONSI-3
  1. Implement [(one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
  2. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
  3. Configure malicious code protection mechanisms to:
    1. Perform periodic scans of the system and real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational policy
    2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]] and send alert in response to malicious code detection
  4. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
DETECTSYSTEM MONITORING

ANALYZE TRAFFIC AND COVERT EXFILTRATION		SI-4(18)Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information
DETECT
PROTECT		SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

RUNTIME APPLICATION SELF-PROTECTION		SI-7(17)Implement controls for application self-protection at runtime.
  • Runtime (the period during which a computer program is executing) application self-protection employs runtime instrumentation to detect and block the exploitation of software vulnerabilities by taking advantage of information from the software in execution.
  • Runtime exploit prevention differs from traditional perimeter-based protections such as guards and firewalls which can only detect and block attacks by using network information without contextual awareness.
  • Runtime application self-protection technology can reduce the susceptibility of software to attacks by monitoring its inputs and blocking those inputs that could allow attacks; and protect from unwanted changes and tampering.
  • When a threat is detected, runtime application self-protection technology can prevent exploitation and take other actions (e.g., sending a warning message to the user, terminating the user’s session, terminating the application, or sending an alert.
Last updated on
DATA Pipeline ATLAS 6 ETL CdcmodestructureCODE Secrets Scanning