NIST SP 800-53
21 rules checking NIST SP 800-53 Rev. 5 compliance, with FIPS baseline applicability. LOW baseline rules apply to all federal systems, MODERATE adds controls for systems processing sensitive information.
| Rule ID | Severity | NIST Reference | Baseline | Category | Summary |
|---|---|---|---|---|---|
| NIST-NET-001 | CRITICAL | AC-4 | MODERATE | Information Flow Enforcement | Unrestricted any-to-any information flow |
| NIST-NET-002 | CRITICAL | AC-4 | MODERATE | Information Flow Enforcement | Overly broad source address |
| NIST-NET-003 | CRITICAL | AC-4 | MODERATE | Information Flow Enforcement | Overly broad destination address |
| NIST-NET-004 | CRITICAL | AC-4, CM-7 | LOW | Least Functionality | All ports or wide port range permitted |
| NIST-NET-005 | HIGH | AC-4, CM-7 | LOW | Least Functionality | All protocols permitted |
| NIST-NET-020 | HIGH | SC-8, SC-8(1) | MODERATE | Insecure Services | Unencrypted protocol detected |
| NIST-NET-021 | CRITICAL | CM-7, SC-8 | LOW | Insecure Services | Deprecated or broken protocol detected |
| NIST-NET-023 | HIGH | SC-8, IA-5(1) | MODERATE | Insecure Services | Insecure authentication protocol detected |
| NIST-NET-040 | CRITICAL | CM-7, SC-7 | LOW | High-Risk Service Exposure | High-risk port from broad source |
| NIST-NET-042 | CRITICAL | SC-7, CM-7 | LOW | High-Risk Service Exposure | High-risk port from broad/public source |
| NIST-NET-043 | CRITICAL | SC-7, CM-7 | LOW | High-Risk Service Exposure | Database port exposed to external network |
| NIST-NET-044 | CRITICAL | CM-7, SC-7 | LOW | High-Risk Service Exposure | Container/orchestration API exposed |
| NIST-NET-045 | CRITICAL | CM-7, SC-7 | LOW | High-Risk Service Exposure | IPMI/BMC exposed from non-management |
| NIST-NET-046 | CRITICAL | SC-7, AC-4 | LOW | High-Risk Service Exposure | ICS/SCADA protocols crossing boundaries |
| NIST-NET-050 | CRITICAL | AC-17, SC-7 | LOW | Remote Access Controls | Direct remote admin access from external |
| NIST-NET-052 | HIGH | AC-17, SC-7 | LOW | Remote Access Controls | Admin protocol from broad source |
| NIST-NET-061 | MEDIUM | SC-7, CM-7 | LOW | DNS and Covert Channels | DNS-over-HTTPS to known DoH providers |
| NIST-NET-062 | MEDIUM | SC-7, SC-7(9) | MODERATE | DNS and Covert Channels | Direct external DNS from protected segment |
| NIST-NET-070 | INFO | AC-4, SI-4 | LOW | Encrypted Tunnel Visibility | SSH tunnelling risk |
| NIST-NET-071 | INFO | AC-4, SC-7, SI-4 | LOW | Encrypted Tunnel Visibility | VPN tunnel in protected segment |
| NIST-NET-072 | INFO | SI-4, AC-4 | LOW | Encrypted Tunnel Visibility | Outbound HTTPS inspection blind spot |