CNSSI 12-53: New Security Control Catalog for National Security Systems

by Bruce Brown | 10 Comments

2014 – Update, DIACAP has been upgraded to Risk Management Framework for DoD IT (aka DIARMF).  Its base on the NIST SP 800-37, Risk Management Framework for Federal IT and takes from CNSSI 1253.

Risk Management Framework for DoD IT takes all IA Controls (Security Controls) from NIST SP 800-53.

New DIACAP Certification & Accreditation IA Controls

The DoD has had the same IA controls since DoD 8510.1-M, controls since DoD 8510.1-M, Department of Defense Information Technology System Certification & Accreditation Process (DITSCAP), July 31, 2000 – it was developed late last century.

The DoD has a total of 157 IA controls spread across 8 subject areas in 4 classes:

DC – Security Design & Configuration

IA – Identification and Authentication

EC – Enclave & Computing

EB – Enclave Boundary Defense

PE – Physical & Environmental

PR – Personnel

CO – Continuity

VI – Vulnerability

There is a huge change coming in certification & accreditation for the DoD coming. The IA controls are being expanded and changed. The last two DIACAP classes I’ve been to mentioned that there is a big change coming. Essentially, all the IA Controls (security controls, safeguards, countermeasures.. whatever your organization is calling them) are getting expanded. All federal organizations will have security controls that look more like what is in the National Institute of Standards and Technology Special Publication 800-53. This is all being placed in the Committee on National Security Systems Instruction (CNSSI) 1253. As of 25 June 2009, the CNSSI 1253 is still in draft.

The draft has 17 families & identifiers in three security control classes.


AC Access Control Technical

AT Awareness and Training Operational

AU Audit and Accountability Technical

CA Certification, Accreditation, and Security Assessments Management

CM Configuration Management Operational

CP Contingency Planning Operational

IA Identification and Authentication Technical

IR Incident Response Operational

MA Maintenance Operational

MP Media Protection Operational

PE Physical and Environmental Protection Operational

PL Planning Management

PS Personnel Security Operational

RA Risk Assessment Management

SA System and Services Acquisition Management

SC System and Communications Protection Technical

The CNSSI has about 500 controls with pretty good granularity.

One of the really cool thing about 1253 was the security control mapping. It’s a table that matches up 800-53, DCID 6/3 and DODI 8500.2.

10 Comments on CNSSI 12-53: New Security Control Catalog for National Security Systems

  1. cschooley
    July 7, 2009 at 6:45 pm (9 years ago)

    Great info. 8500.2 is huge where I'm at now, and it's encouraging to know that there will be a mapping table (DCID to 8500.2 is one trick we have been asked to perform in the past).

    Do you happen to have a link to the draft?

    • elamb
      July 8, 2009 at 12:40 am (9 years ago)

      I don't have a link to it but I can send it to you.

      • mramos
        September 18, 2009 at 3:46 pm (9 years ago)


        Could you please send me a copy of this draft security control mapping table. I am working on a C&A effort for a product in which we have used DCID 6/3 in the past and will now have to use the CNSSI 1253. We're trying to work out which of the old test procedures we can reuse for the 1253 world and this mapping document sounds like it would be very helpful. Please send it to Thank you.



      • rmonroe
        January 18, 2010 at 6:07 pm (8 years ago)

        Can I get a copy of this draft?

  2. Chris Williams
    September 14, 2009 at 7:13 pm (9 years ago)

    Hi Rob, I found your site while searching for CNSSI 1253. I'm trying to map 800-53 to 8500.2 and would be most thankful if you could send me this document as well.


  3. John Myers
    October 6, 2009 at 8:40 pm (9 years ago)

    Hi Rab,
    I teach the DIACAP course for my organization. If your offer to send a copy of CNSSI 1253 still stands, I would be very appriciative for a copy. Or where a copy may be obtained. It pays to be proactive in this business. Thanks in advance.

  4. David Johnson
    October 8, 2009 at 8:53 am (9 years ago)

    Hello, I developed a tool intended to greatly enhance the efficiency and meaningfulness of the NIST SP 800-53/-53A C&A process. I have recently begun work on the DoD side, and am interested in developing a similar tool useful for a DIACAP C&A process. Could I please have a copy of the recent draft of CNSSI 1253? Also, I am interested in exploring opportunities to contribute. Thank you, David

    • philli
      January 31, 2010 at 4:01 pm (8 years ago)

      David, I would be interested in your work and collaboration as well. We are working on bridging a business process management to the C&A using integrated sharepoint 2010 solutions. Since the DISA/eMass is already on sharepoint the new capabilities of 2010 allow us to scale much quicker to DoD and all components. You can contact me at

  5. David
    October 8, 2009 at 8:56 am (9 years ago)

    Please disregard the previous comment

  6. Dave
    January 15, 2010 at 3:33 pm (8 years ago)

    I'd like to get a copy of the mappings, please.


Leave a Reply

Your email address will not be published. Required fields are marked *

Comment *