Self-assessed · sample · NIST SP 800-53 rev 5
Initech: NIST SP 800-53 from one AICM run
The US control catalog. Same GRA diagnostic as CSF and AI RMF. Foundational NIST docks here via CSA’s CCM bridge; AI-only AICM controls stay unmapped.
Assessed on CSA AICM via the function diagnostic, then rolled through CSA’s CCM-bridged AICM→NIST SP 800-53 crosswalk. Readiness for conversation and planning, not a NIST attestation, audit opinion, or measured result.
Executive summary
Initech: 16 controls map to NIST SP 800-53 but are absent in the function attestation. Close those first for this lens. Self-assessed, not a NIST attestation.
Security and privacy control catalog — the US foundational gold standard.
Controls in this slice
26
Priority (mapped, absent)
16
Attested implemented
1
Matrix mapped / aligned
188
Matrix: 188 AICM controls on the CCM bridge · AI-only remainder 59 (compare under AI RMF ↔ AICM).
Control register
| AICM | Title | Gap | Refs | Posture | Board line |
|---|---|---|---|---|---|
| GRC-01 | Governance Program Policy and Procedures | No Gap | PL-1 PM-1 PM-17 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PS-1 PT-1 RA-1 SA-1 SC-1 SI-1 SR-1 | Implemented | Self-attested in place; CSA maps to NIST SP 800-53. |
| GRC-02 | Risk Management Program | No Gap | PL-1 PL-2 PM-4 PM-9 PM-10 PM-28 | Partial | Partially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready. |
| GRC-03Priority | Organizational Policy Reviews | No Gap | PL-1 PM-1 PM-14 PM-17 | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| HRS-15 | AI Acceptable Use | Unmapped | n/a | Partial | No CSA AICM→NIST SP 800-53 mapping on this control id (AI-only or outside the CCM bridge). |
| GRC-15 | Human supervision | Unmapped | n/a | Absent | No CSA AICM→NIST SP 800-53 mapping on this control id (AI-only or outside the CCM bridge). |
| AIS-01 | Application and Interface Security Policy and Procedures | No Gap | CM-3 CM-3(2) PM-20 PM-20(1) SA-1 SA-4 SA-8 SA-8(29)-(33) SI-17 | Partial | Partially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready. |
| AIS-04Priority | Secure Application Development Lifecycle | No Gap | PL-2 PL-8 PL-8(1) SA-3 SA-3(1) SA-4 SA-4(2) SA-4(3) SA-4(8) SA-4(9) SA-5 SA-8 SA-8(1)-(7) SA-8(9)-(13) SA-8(15)-(20) SA-8(22) SA-8(24)-(28) SA-8(30)-(33) SA-17 SA-17(1)-(9) | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| AIS-07Priority | Application Vulnerability Remediation | No Gap | SI-2 SI-2(2)-(6) SA-11 SA-11(2) SA-15 SA-15(1)-(3) SA-15(5)-(8) SA-15(10)-(12) | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| TVM-01 | Threat and Vulnerability Management Policy and Procedures | No Gap | PM-16 PM-16(1) PM-31 RA-5 SA-11 SA-11(2) SA-11(5) SA-15 SA-15(5) SA-15(8) | Partial | Partially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready. |
| TVM-03Priority | Vulnerability Identification | No Gap | PM-31 RA-3 RA-3(1) RA-5 RA-5(2)-(4) RA-5(6) SI-3 SI-3(10) | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| TVM-08Priority | Vulnerability Remediation Schedule | No Gap | RA-2 RA-2(1) SA-11 SA-11(1) SA-15 SA-15(8) SI-2 SI-2(2) SI-3 SI-3(10) | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| A&A-01 | Audit and Assurance Policy and Procedures | No Gap | CA-1 | Partial | Partially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready. |
| A&A-02Priority | Independent Assessments | No Gap | CA-2 CA-2(1) CA-2(2) CA-7 CA-7(1) | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| A&A-05Priority | Audit Management Process | No Gap | CA-1 CA-2 PM-4 | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| A&A-06Priority | Remediation | No Gap | CA-5 CA-5(1) PM-4 | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| STA-01 | Supply Chain Risk Management Policies and Procedures | Partial Gap | SR-1 SR-2 SR-3 SR-5 SA-4 SA-4(1) SA-4(2) SA-4(5) SA-4(9) SA-4(10) PM-30 | Partial | Partially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready. |
| STA-08 | Supply Chain Inventory | No Gap | SR-2 SR-2(1) SR-4 SR-5 SR-5(1) SR-5(2) SR-6 | Partial | Partially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready. |
| STA-10Priority | Supply Chain Risk Management | No Gap | PM-30 PM-30(1) SR-2 SR-6 | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| STA-13Priority | Supply Chain Compliance Assessment | No Gap | SA-9 SA-9(1)-(8) SR-2 SR-2(1) | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| BCR-01Priority | Business Continuity Management Policy and Procedures | No Gap | CP-1 CP-2 PL-2 | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| BCR-02Priority | Risk Assessment and Impact Analysis | No Gap | CP-2 PM-8 PM-9 | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| BCR-08 | Backup | No Gap | CP-4 CP-4(4) CP-6 CP-6(1)-(3) CP-9 CP-9(1) CP-9(2) CP-10 CP-10(2) CP-10(4) | Partial | Partially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready. |
| BCR-06Priority | Business Continuity Exercises | No Gap | AT-3 AT-3(3) CP-3 CP-3(1) CP-4 CP-4(4) IR-4 IR-4(3) | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| IPY-01Priority | Interoperability and Portability Policy and Procedures | No Gap | PT-2 PT-2(1) PT-3 PT-3(1) SC-1 SA-8 SA-8(8) SC-27 SC-29 SC-29(1) | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| IPY-03Priority | Secure Interoperability and Portability Management | No Gap | PT-2 PT-2(2) SA-4 SC-16 SC-16(3) | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |
| IPY-04Priority | Data Portability Contractual Obligations | Partial Gap | PT-2 PT-2(1) PT-3 PT-3(1) PT-4(3) SA-4 SA-4(11) SA-4(12) SI-12 SI-12(3) | Absent | CSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens. |