Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 58
| Control ID | Title / Statement | Priority | Baseline Impact | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| PS-1 |
Personnel Security Policy and Procedures
3 params
The organization:
a. Develops, documents, and disseminates to {{ insert: param, ps-1_prm_1 }}:
1. A personnel security policy that addresses purpose, scope, roles, responsibilities, managemen...
► View parameters
|
— | — | |||||||||||||||
| PS-2 |
Position Risk Designation
1 param
The organization:
a. Assigns a risk designation to all organizational positions;
b. Establishes screening criteria for individuals filling those positions; and
c. Reviews and updates position...
► View parameters
|
— | — | |||||||||||||||
| PS-3 |
Personnel Screening
1 param
The organization:
a. Screens individuals prior to authorizing access to the information system; and
b. Rescreens individuals according to {{ insert: param, ps-3_prm_1 }}.
► View parameters
|
— | — | |||||||||||||||
| PS-3(1) |
Classified Information
The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification lev...
|
— | — | |||||||||||||||
| PS-3(2) |
Formal Indoctrination
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indo...
|
— | — | |||||||||||||||
| PS-3(3) |
Information with Special Protection Measures
1 param
The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:
(a) Have valid access authorizations that ...
► View parameters
|
— | — | |||||||||||||||
| PS-4 |
Personnel Termination
4 params
The organization, upon termination of individual employment:
a. Disables information system access within {{ insert: param, ps-4_prm_1 }};
b. Terminates/revokes any authenticators/credentials a...
► View parameters
|
— | — | |||||||||||||||
| PS-4(1) |
Post-employment Requirements
The organization:
(a) Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and
(b) Requires terminated i...
|
— | — | |||||||||||||||
| PS-4(2) |
Automated Notification
1 param
The organization employs automated mechanisms to notify {{ insert: param, ps-4.2_prm_1 }} upon termination of an individual.
► View parameters
|
— | — | |||||||||||||||
| PS-5 |
Personnel Transfer
4 params
The organization:
a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or tran...
► View parameters
|
— | — | |||||||||||||||
| PS-6 |
Access Agreements
2 params
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements {{ insert: param, ps-6_prm_1 }}; and
c. Ensu...
► View parameters
|
— | — | |||||||||||||||
| PS-6(1) |
Information Requiring Special Protection
|
— | — | |||||||||||||||
| PS-6(2) |
Classified Information Requiring Special Protection
The organization ensures that access to classified information requiring special protection is granted only to individuals who:
(a) Have a valid access authorization that is demonstrated by assig...
|
— | — | |||||||||||||||
| PS-6(3) |
Post-employment Requirements
The organization:
(a) Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and
(b) Requires individuals to sign an ackn...
|
— | — | |||||||||||||||
| PS-7 |
Third-party Personnel Security
2 params
The organization:
a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;
b. Requires third-party providers to comply with person...
► View parameters
|
— | — | |||||||||||||||
| PS-8 |
Personnel Sanctions
2 params
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies {{ insert: param, ps-8_p...
► View parameters
|
— | — | |||||||||||||||
| └ ps-1a | Develops, documents, and disseminates to {{ insert: param, ps-1_prm_1 }}: | — | — | |||||||||||||||
| └ ps-1a.1 | A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entiti... | — | — | |||||||||||||||
| └ ps-1a.2 | Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and | — | — | |||||||||||||||
| └ ps-1b | Reviews and updates the current: | — | — | |||||||||||||||
| └ ps-1b.1 | Personnel security policy {{ insert: param, ps-1_prm_2 }}; and | — | — | |||||||||||||||
| └ ps-1b.2 | Personnel security procedures {{ insert: param, ps-1_prm_3 }}. | — | — | |||||||||||||||
| └ ps-2a | Assigns a risk designation to all organizational positions; | — | — | |||||||||||||||
| └ ps-2b | Establishes screening criteria for individuals filling those positions; and | — | — | |||||||||||||||
| └ ps-2c | Reviews and updates position risk designations {{ insert: param, ps-2_prm_1 }}. | — | — | |||||||||||||||
| └ ps-3.3.(a) | Have valid access authorizations that are demonstrated by assigned official government duties; and | — | — | |||||||||||||||
| └ ps-3.3.(b) | Satisfy {{ insert: param, ps-3.3_prm_1 }}. | — | — | |||||||||||||||
| └ ps-3a | Screens individuals prior to authorizing access to the information system; and | — | — | |||||||||||||||
| └ ps-3b | Rescreens individuals according to {{ insert: param, ps-3_prm_1 }}. | — | — | |||||||||||||||
| └ ps-4.1.(a) | Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and | — | — | |||||||||||||||
| └ ps-4.1.(b) | Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process. | — | — | |||||||||||||||
| └ ps-4a | Disables information system access within {{ insert: param, ps-4_prm_1 }}; | — | — | |||||||||||||||
| └ ps-4b | Terminates/revokes any authenticators/credentials associated with the individual; | — | — | |||||||||||||||
| └ ps-4c | Conducts exit interviews that include a discussion of {{ insert: param, ps-4_prm_2 }}; | — | — | |||||||||||||||
| └ ps-4d | Retrieves all security-related organizational information system-related property; | — | — | |||||||||||||||
| └ ps-4e | Retains access to organizational information and information systems formerly controlled by terminated individual; and | — | — | |||||||||||||||
| └ ps-4f | Notifies {{ insert: param, ps-4_prm_3 }} within {{ insert: param, ps-4_prm_4 }}. | — | — | |||||||||||||||
| └ ps-5a | Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individ... | — | — | |||||||||||||||
| └ ps-5b | Initiates {{ insert: param, ps-5_prm_1 }} within {{ insert: param, ps-5_prm_2 }}; | — | — | |||||||||||||||
| └ ps-5c | Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and | — | — | |||||||||||||||
| └ ps-5d | Notifies {{ insert: param, ps-5_prm_3 }} within {{ insert: param, ps-5_prm_4 }}. | — | — | |||||||||||||||
| └ ps-6.2.(a) | Have a valid access authorization that is demonstrated by assigned official government duties; | — | — | |||||||||||||||
| └ ps-6.2.(b) | Satisfy associated personnel security criteria; and | — | — | |||||||||||||||
| └ ps-6.2.(c) | Have read, understood, and signed a nondisclosure agreement. | — | — | |||||||||||||||
| └ ps-6.3.(a) | Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and | — | — | |||||||||||||||
| └ ps-6.3.(b) | Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information. | — | — | |||||||||||||||
| └ ps-6a | Develops and documents access agreements for organizational information systems; | — | — | |||||||||||||||
| └ ps-6b | Reviews and updates the access agreements {{ insert: param, ps-6_prm_1 }}; and | — | — | |||||||||||||||
| └ ps-6c | Ensures that individuals requiring access to organizational information and information systems: | — | — | |||||||||||||||
| └ ps-6c.1 | Sign appropriate access agreements prior to being granted access; and | — | — | |||||||||||||||
| └ ps-6c.2 | Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or {{ insert: param, ps... | — | — | |||||||||||||||
| └ ps-7a | Establishes personnel security requirements including security roles and responsibilities for third-party providers; | — | — | |||||||||||||||
| └ ps-7b | Requires third-party providers to comply with personnel security policies and procedures established by the organization; | — | — | |||||||||||||||
| └ ps-7c | Documents personnel security requirements; | — | — | |||||||||||||||
| └ ps-7d | Requires third-party providers to notify {{ insert: param, ps-7_prm_1 }} of any personnel transfers or terminations of third-party personnel who po... | — | — | |||||||||||||||
| └ ps-7e | Monitors provider compliance. | — | — | |||||||||||||||
| └ ps-8a | Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and | — | — | |||||||||||||||
| └ ps-8b | Notifies {{ insert: param, ps-8_prm_1 }} within {{ insert: param, ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying ... | — | — |