NIST 800-53r5 Control Tagging Implementation Guide¶
Version: 1.0.0 Last Updated: 2025-01-18 Status: Active Standard Code: NIST-IG Tokens: ~2,500 Priority: Critical
Table of Contents¶
- 🚀 Quick Start
- 📋 What's Implemented
- 🏷️ Tagging Quick Reference
- 🔄 Workflow Integration
- 📊 Monitoring Compliance
- 🎯 Next Steps
- 📚 Documentation
- 🤝 Contributing
🚀 Quick Start¶
1. Install Git Hooks (Recommended)¶
This installs:
- Pre-commit hook for NIST tag validation
- Commit message template with NIST control hints
- Automatic tag suggestions for security code
2. Start Tagging Your Code¶
TypeScript/JavaScript¶
/**
* @nist ia-2 "User authentication"
* @nist ia-5 "Password management"
* @evidence code, test
*/
export async function authenticateUser(credentials: Credentials) {
// @nist ia-5.1 "Password complexity validation"
validatePassword(credentials.password);
// @nist au-2 "Audit authentication events"
await auditLog.record('auth.attempt', { user: credentials.username });
}
Python¶
# @nist ac-3 "Access enforcement"
# @nist ac-6 "Least privilege"
def check_permissions(user, resource, action):
"""
@nist-implements ac-3.a "Enforce approved authorizations"
"""
# Implementation
YAML Configuration¶
# @nist-controls: [sc-8, sc-13, ac-12]
security:
tls:
version: "1.3" # @nist sc-8 "Transmission confidentiality"
session:
timeout: 30 # @nist ac-12 "Session termination"
3. Run Compliance Checks¶
# Check current file
./scripts/nist-pre-commit.sh
# Generate SSP
cd standards/compliance
npm run generate-ssp
# Harvest evidence
npm run harvest-evidence
📋 What's Implemented¶
✅ Completed¶
- COMPLIANCE_STANDARDS.md: Comprehensive tagging guidelines
- NIST_TAGGING_PROPOSAL.md: Strategic approach document
- CLAUDE.md Updates: LLM context for NIST compliance
- GitHub Actions Workflow: Continuous compliance checking
- Pre-commit Hooks: Automatic validation and suggestions
- OSCAL Platform: Complete SSP and evidence generation
🔧 Available Tools¶
- Pre-commit Hook (
scripts/nist-pre-commit.sh) - Validates NIST tag format
- Suggests controls for security code
-
Configurable blocking/warning behavior
-
GitHub Actions (
.github/workflows/nist-compliance.yml) - PR validation and suggestions
- Coverage reporting
- Weekly compliance audits
-
Automatic SSP generation
-
OSCAL Compliance Platform (
standards/compliance/) - Semantic control mapping
- Evidence harvesting
- SSP generation
- Assessment automation
🏷️ Tagging Quick Reference¶
Common Security Patterns → NIST Controls¶
| Pattern | NIST Controls | Example Tag |
|---|---|---|
| Authentication | ia-2, ia-5 | @nist ia-2 "User authentication" |
| Authorization | ac-2, ac-3, ac-6 | @nist ac-3 "Access enforcement" |
| Encryption | sc-8, sc-13 | @nist sc-13 "Cryptographic protection" |
| Audit/Logging | au-2, au-3 | @nist au-2 "Audit events" |
| Session Management | ac-12 | @nist ac-12 "Session termination" |
| Input Validation | si-10, si-11 | @nist si-10 "Input validation" |
| Error Handling | si-11 | @nist si-11 "Error handling" |
🔄 Workflow Integration¶
Development Flow¶
- Write Code → Security feature detected
- IDE/Hook Suggests → Appropriate NIST controls
- Developer Tags → Using standard format
- Commit → Hook validates tags
- PR → CI suggests missing controls
- Merge → SSP auto-updates
CI/CD Pipeline¶
on: [push, pull_request]
jobs:
nist-compliance:
- Validate NIST tags ✓
- Suggest missing controls ✓
- Generate coverage report ✓
- Update SSP (on main) ✓
- Collect evidence (weekly) ✓
📊 Monitoring Compliance¶
Check Coverage¶
# Count total controls tagged
grep -r "@nist" . --include="*.ts" --include="*.js" | wc -l
# List unique controls
grep -r "@nist" . --include="*.ts" | grep -o "@nist [a-z][a-z]-[0-9]\+" | sort -u
# Find untagged security code
./scripts/nist-pre-commit.sh
Generate Reports¶
cd standards/compliance
# Generate System Security Plan
npm run generate-ssp -- --baseline moderate
# Collect compliance evidence
npm run harvest-evidence
# View in OSCAL format
cat oscal-output/ssp-*.json
🎯 Next Steps¶
For Developers¶
- Install git hooks:
./scripts/setup-nist-hooks.sh - Review COMPLIANCE_STANDARDS.md
- Start tagging security code with
@nistannotations - Use pre-commit hook for validation
For Security Teams¶
- Review generated SSPs in
standards/compliance/oscal-output/ - Configure baseline in GitHub Actions workflow
- Set up compliance dashboard monitoring
- Schedule regular compliance reviews
For LLM Users¶
When asking for code generation or review:
Please ensure all security-related code includes appropriate NIST 800-53r5 control tags.
Use format: @nist <control-id> "<description>"
Refer to COMPLIANCE_STANDARDS.md for guidelines.
📚 Documentation¶
- COMPLIANCE_STANDARDS.md - Detailed tagging guidelines
- NIST_TAGGING_PROPOSAL.md - Strategic approach
- standards/compliance/README.md - OSCAL platform docs
- CLAUDE.md - LLM context with NIST integration
Related Standards¶
- CODING_STANDARDS.md - General coding standards with NIST section
- MODERN_SECURITY_STANDARDS.md - Security implementation
- PROJECT_MANAGEMENT_STANDARDS.md - Compliance tracking
- UNIFIED_STANDARDS.md - Comprehensive standards overview
- STANDARDS_INDEX.md - Quick reference to all standards
🤝 Contributing¶
To improve NIST tagging:
- Update control mappings in
COMPLIANCE_STANDARDS.md - Add new patterns to pre-commit hook
- Enhance LLM prompts in
CLAUDE.md - Submit PRs with properly tagged code
Remember: The goal is to make compliance automatic and frictionless. Tag as you code, and let the tools handle the rest! 🚀