NIST SP 800-53 Rev 5¶
The nist-800-53 pack enforces controls from NIST SP 800-53 Revision 5 for US federal information systems and FedRAMP compliance. It covers access control, audit and accountability, identification and authentication, system and communications protection, and system and information integrity.
Enable¶
Rules¶
The pack includes 21 rules across code enforcement and documentation obligations:
Code rules (13)¶
| ID | Clause | Severity | Description |
|---|---|---|---|
| NIST-AC-002 | AC-3 | high | Route handlers and API endpoints must include authentication/authorization checks |
| NIST-AC-003 | AC-7 | high | Authentication systems should implement account lockout after failed login attempts |
| NIST-AU-002 | AU-2 | medium | Security-relevant events (login, logout, access denied, privilege changes) must be logged |
| NIST-AU-003 | AU-8 | medium | Audit records must include timestamps from a reliable time source |
| NIST-IA-002 | IA-5 | critical | Passwords must not be stored in plaintext or with weak hashing algorithms |
| NIST-IA-003 | IA-5 | high | Password hashing must use approved algorithms — MD5 and SHA1 are not acceptable for password storage |
| NIST-IA-004 | IA-6 | high | Authentication feedback must not reveal password content to prevent shoulder surfing |
| NIST-SC-002 | SC-8 | high | Data in transit must be encrypted — HTTP without TLS is prohibited for non-local endpoints |
| NIST-SC-003 | SC-12 | critical | Cryptographic keys must not be embedded in source code |
| NIST-SC-004 | SC-13 | high | Only FIPS-approved cryptographic algorithms may be used — MD5, SHA1, DES, and RC4 are prohibited |
| NIST-SI-002 | SI-3 | critical | Dynamic code execution functions must not be used on user-controlled input |
| NIST-SI-003 | SI-10 | medium | User input must be validated before processing — raw request data should not be used directly |
| NIST-SI-004 | SI-11 | high | Detailed error information and stack traces must not be exposed to end users |
Documentation obligations (8)¶
| ID | Clause | Description |
|---|---|---|
| NIST-AC-001 | AC-1 | Access control policy defining who can access what resources under which conditions |
| NIST-AU-001 | AU-1 | Audit and accountability policy defining what events are logged, how logs are protected, and retention requirements |
| NIST-CM-001 | CM-1 | Configuration management plan establishing baselines and tracking changes to system components |
| NIST-IA-001 | IA-1 | Identification and authentication policy defining authenticator management and verification requirements |
| NIST-SC-001 | SC-1 | System and communications protection policy defining encryption standards for data at rest and in transit |
| NIST-SI-001 | SI-1 | System and information integrity plan defining flaw remediation, malicious code protection, and monitoring procedures |
| NIST-RA-001 | RA-1 | Risk assessments identifying threats, vulnerabilities, and likelihood of impact to organizational systems |
| NIST-CA-001 | CA-7 | Continuous monitoring strategy defining ongoing assessment of security controls and system authorization |
Use case¶
Federal agencies, government contractors, and organizations pursuing FedRAMP authorization. The pack provides:
- Access control enforcement -- Catches unprotected route handlers and disabled account lockout across Python, JavaScript, and TypeScript
- Cryptographic compliance -- Flags plaintext passwords, hardcoded keys, weak hashing algorithms (MD5, SHA1, DES, RC4), and unencrypted HTTP transmission against FIPS 140 requirements
- Integrity protection -- Detects eval/exec on user input, missing input validation, and stack traces exposed in production
- Audit trail support -- Documentation obligations appear in HTML/SARIF reports, providing auditors with traceable compliance status against NIST SP 800-53 control families