Cortex Xpanse does not make a determination regarding compliance with the listed NIST 800-53 controls.
Not all compliance violations can be detected from our scan data. Cortex Xpanse provides an external view of your attack surface. The controls listed below would require data from internal scans or checks against internal controls and processes where Xpanse does not have visibility. Therefore, Xpanse cannot make a determination regarding compliance with these specific controls.
The following NIST 800-53 controls, organized by control family, are unevaluated by the Expander Attack Surface Compliance Violations Dashboard.
AC-1 | Access Control Policy and Procedures |
AC-5 | Separation of Duties |
AC-7 | Unsuccessful Login Attempts |
AC-9 | Previous Logon (Access) Notification |
AC-10 | Concurrent Session Control |
AC-16 | Security Attributes |
AC-18 | Wireless Access |
AC-19 | Access Control for Mobile Devices |
AC-20 | Use of External Information Systems |
AC-21 | Information Sharing |
AC-22 | Publicly Accessible Content |
AC-23 | Data Mining Protection |
AC-24 | Access Control Decisions |
AC-25 | Reference Monitor |
AU-1 | Audit and Accountability Policy and Procedures |
AU-4 | Audit Storage Capacity |
AU-7 | Audit Reduction and Report Generation |
AU-8 | Time Stamps |
AU-9 | Protection of Audit Information |
AU-11 | Audit Record Retention |
AU-13 | Monitoring for Information Disclosure |
AU-14 | Session Audit |
AU-15 | Alternate Audit Capability |
AU-16 | Cross-Organizational Auditing |
AT-1 | Security Awareness and Training Policy and Procedures |
AT-2 | Security Awareness Training |
AT-3 | Role-Based Security Training |
AT-4 | Security Training Records |
CM-1 | Configuration Management Policy and Procedures |
CM-5 | Access Restrictions for Change |
CM-9 | Configuration Management Plan |
CM-11 | User-Installed Software |
CP-1 | Contingency Planning Policy and Procedures |
CP-3 | Contingency Training |
CP-4 | Contingency Plan Testing |
CP-6 | Alternate Storage Site |
CP-7 | Alternate Processing Site |
CP-8 | Telecommunications Services |
CP-11 | Alternate Communications Protocols |
CP-12 | Safe Mode |
CP-13 | Alternative Security Mechanisms |
IA-1 | Identification and Authentication Policy and Procedures |
IA-9 | Service Identification and Authentication |
IA-10 | Adaptive Identification and Authentication |
IA-11 | Re-authentication |
IR-1 | Incident Response Policy and Procedures |
IR-2 | Incident Response Training |
IR-3 | Incident Response Testing |
IR-10 | Integrated Information Security Analysis Team |
MA-1 | System Maintenance Policy and Procedures |
MA-3 | Maintenance Tools |
MA-4 | Nonlocal Maintenance |
MA-5 | Maintenance Personnel |
MA-6 | Timely Maintenance |
MP-1 | Media Protection Policy and Procedures |
MP-2 | Media Access |
MP-3 | Media Marking |
MP-4 | Media Storage |
MP-5 | Media Transport |
MP-7 | Media Use |
MP-8 | Media Downgrading |
PS-1 | Personnel Security Policy and Procedures |
PS-2 | Position Risk Designation |
PS-3 | Personnel Screening |
PS-4 | Personnel Termination |
PS-5 | Personnel Transfer |
PS-6 | Access Agreements |
PS-7 | Third-Party Personnel Security |
PS-8 | Personnel Sanctions |
PE-1 | Physical and Environmental Protection Policy and Procedures |
PE-2 | Physical Access Authorizations |
PE-4 | Access Control for Transmission Medium |
PE-5 | Access Control for Output Devices |
PE-6 | Monitoring Physical Access |
PE-8 | Visitor Access Records |
PE-9 | Power Equipment and Cabling |
PE-10 | Emergency Shutoff |
PE-11 | Emergency Power |
PE-12 | Emergency Lighting |
PE-13 | Fire Protection |
PE-14 | Temperature and Humidity Controls |
PE-15 | Water Damage Protection |
PE-16 | Delivery and Removal |
PE-17 | Alternate Work Site |
PE-18 | Location of Information System Components |
PE-19 | Information Leakage |
PE-20 | Asset Monitoring and Tracking |
PL-1 | Security Planning Policy and Procedures |
PL-4 | Rules of Behavior |
PL-7 | Security Concept of Operations |
PL-8 | Information Security Architecture |
PL-9 | Central Management |
PM-1 | Information Security Program Plan |
PM-2 | Senior Information Security Officer |
PM-3 | Information Security Resources |
PM-4 | Plan of Action and Milestones Process |
PM-5 | Information System Inventory |
PM-6 | Information Security Measures of Performance |
PM-7 | Enterprise Architecture |
PM-8 | Critical Infrastructure Plan |
PM-9 | Risk Management Strategy |
PM-10 | Security Authorization Process |
PM-11 | Mission/Business Process Definition |
PM-12 | Insider Threat Program |
PM-13 | Information Security Workforce |
PM-14 | Testing, Training, & Monitoring |
PM-15 | Contacts with Security Groups and Associations |
PM-16 | Threat Awareness Program |
RA-1 | Risk Assessment Policy and Procedures |
RA-2 | Security Categorization |
RA-6 | Technical Surveillance Countermeasures Survey |
CA-1 | Security Assessment and Authorization Policies and Procedures |
CA-2 | Security Assessments |
CA-5 | Plan of Action and Milestones |
CA-6 | Security Authorization |
CA-9 | Internal System Connections |
SC-2 | Application Partitioning |
SC-3 | Security Function Isolation |
SC-4 | Information in Shared Resources |
SC-6 | Resource Availability |
SC-11 | Trusted Path |
SC-16 | Transmission of Security Attributes |
SC-18 | Mobile Code |
SC-19 | Voice Over Internet Protocol |
SC-20 | Secure Name /Address Resolution Service (Authoritative Source) |
SC-21 | Secure Name /Address Resolution Service (Recursive or Caching Resolver) |
SC-22 | Architecture and Provisioning for Name/Address Resolution Service |
SC-23 | Session Authenticity |
SC-24 | Fail in Known State |
SC-25 | Thin Nodes |
SC-26 | Honeypots |
SC-29 | Heterogeneity |
SC-30 | Concealment and Misdirection |
SC-31 | Covert Channel Analysis |
SC-32 | Information System Partitioning |
SC-34 | Non-Modifiable Executable Programs |
SC-35 | Honeyclients |
SC-36 | Distributed Processing and Storage |
SC-37 | Out-of-Band Channels |
SC-38 | Operations Security |
SC-39 | Process Isolation |
SC-40 | Wireless Link Protection |
SC-41 | Port and I/O Device Access |
SC-42 | Sensor Capability and Data |
SC-43 | Usage Restrictions |
SC-44 | Detonation Chambers |
SI-1 | System and Information Integrity Policy and Procedures |
SI-5 | Security Alerts, Advisories, and Directives |
SI-6 | Security Function Verification |
SI-7 | Software, Firmware, and Information Integrity |
SI-11 | Error Handling |
SI-12 | Information Handling and Retention |
SI-13 | Predictable Failure Prevention |
SI-14 | Non-Persistence |
SI-15 | Information Output Filtering |
SI-16 | Memory Protection |
SI-17 | Fail-Safe Procedures |
SA-2 | Allocation of Resources |
SA-5 | Information System Documentation |
SA-9 | External Information System Services |
SA-13 | Trustworthiness |
SA-14 | Criticality Analysis |
SA-15 | Development Process, Standards, and Tools |
SA-18 | Tamper Resistance and Detection |
SA-19 | Component Authenticity |
SA-20 | Customized Development of Critical Components |
SA-21 | Developer Screening |