NIST 800-53 Rev 5 Assessment

Evaluate compliance with NIST SP 800-53 Revision 5 security and privacy controls for federal information systems and organizations

BiotechHealthcareResearch22 minutes21 questions

1. Access Control (AC)

Do you enforce least privilege and separation of duties?*

AC-2, AC-5, AC-6: User access management and privilege restrictions

Is multi-factor authentication required for all privileged accounts?*

IA-2(1): MFA for network and privileged access

Are failed login attempts monitored and logged?*

AC-7: Account lockout after failed attempts

2. Awareness & Training (AT)

Do all users receive security awareness training before system access?*

AT-2: Literacy training covering threats, responsibilities, and acceptable use

Is security training updated annually and when threats or systems change?*

AT-2(2): Insider threat and social engineering awareness

3. Audit & Accountability (AU)

Are security-relevant events logged and protected from unauthorized access?*

AU-2, AU-9: Audit logging and log protection

Are audit logs reviewed regularly for security incidents?*

AU-6: Audit review, analysis, and reporting

Do you retain audit logs for at least 90 days with archival for 1 year?*

AU-11: Audit log retention requirements

4. Security Assessment (CA)

Do you conduct security assessments at least annually?*

CA-2: Independent security control assessments

Are all systems authorized to operate through formal assessment?*

CA-6: Authorization decisions based on risk acceptance

Do you maintain a plan of action and milestones (POA&M) for remediating weaknesses?*

CA-5: Tracking of security deficiencies

5. Incident Response (IR)

Do you have a documented incident response plan with defined roles?*

IR-4: Incident handling capability and procedures

Are security incidents tracked, documented, and reported to appropriate authorities?*

IR-6: US-CERT reporting within timeframes

Do you conduct incident response testing and exercises annually?*

IR-3: Tabletop exercises and simulations

6. Risk Assessment (RA)

Do you conduct risk assessments at least every 3 years or when significant changes occur?*

RA-3: Risk assessment methodology and cadence

Are vulnerability scans performed at least monthly?*

RA-5: Vulnerability monitoring and remediation

Do you remediate high-risk vulnerabilities within 30 days?*

RA-5(5): Privileged access for vulnerability scanning

7. System & Communications Protection (SC)

Is data encrypted in transit using FIPS 140-2 validated cryptography?*

SC-8, SC-13: TLS 1.2+ for data transmission

Are network boundaries protected with firewalls and intrusion detection?*

SC-7: Boundary protection and network segmentation

8. System & Information Integrity (SI)

Are systems protected with up-to-date malware defenses?*

SI-3: Malicious code protection on all endpoints

Are security patches installed within required timeframes?*

SI-2: 30 days for high-risk, 90 days for moderate

Please answer all required questions to see your results