ai · security · skills

Self-assessed · sample · NIST SP 800-53 rev 5

Initech: NIST SP 800-53 from one AICM run

The US control catalog. Same GRA diagnostic as CSF and AI RMF. Foundational NIST docks here via CSA’s CCM bridge; AI-only AICM controls stay unmapped.

Assessed on CSA AICM via the function diagnostic, then rolled through CSA’s CCM-bridged AICM→NIST SP 800-53 crosswalk. Readiness for conversation and planning, not a NIST attestation, audit opinion, or measured result.

Executive summary

Initech: 16 controls map to NIST SP 800-53 but are absent in the function attestation. Close those first for this lens. Self-assessed, not a NIST attestation.

Security and privacy control catalog — the US foundational gold standard.

Controls in this slice

26

Priority (mapped, absent)

16

Attested implemented

1

Matrix mapped / aligned

188

Matrix: 188 AICM controls on the CCM bridge · AI-only remainder 59 (compare under AI RMF ↔ AICM).

Control register

AICMTitleGapRefsPostureBoard line
GRC-01Governance Program Policy and ProceduresNo GapPL-1 PM-1 PM-17 AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 MP-1 PE-1 PS-1 PT-1 RA-1 SA-1 SC-1 SI-1 SR-1ImplementedSelf-attested in place; CSA maps to NIST SP 800-53.
GRC-02Risk Management ProgramNo GapPL-1 PL-2 PM-4 PM-9 PM-10 PM-28PartialPartially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready.
GRC-03PriorityOrganizational Policy ReviewsNo GapPL-1 PM-1 PM-14 PM-17AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
HRS-15AI Acceptable UseUnmappedn/aPartialNo CSA AICM→NIST SP 800-53 mapping on this control id (AI-only or outside the CCM bridge).
GRC-15Human supervisionUnmappedn/aAbsentNo CSA AICM→NIST SP 800-53 mapping on this control id (AI-only or outside the CCM bridge).
AIS-01Application and Interface Security Policy and ProceduresNo GapCM-3 CM-3(2) PM-20 PM-20(1) SA-1 SA-4 SA-8 SA-8(29)-(33) SI-17PartialPartially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready.
AIS-04PrioritySecure Application Development LifecycleNo GapPL-2 PL-8 PL-8(1) SA-3 SA-3(1) SA-4 SA-4(2) SA-4(3) SA-4(8) SA-4(9) SA-5 SA-8 SA-8(1)-(7) SA-8(9)-(13) SA-8(15)-(20) SA-8(22) SA-8(24)-(28) SA-8(30)-(33) SA-17 SA-17(1)-(9)AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
AIS-07PriorityApplication Vulnerability RemediationNo GapSI-2 SI-2(2)-(6) SA-11 SA-11(2) SA-15 SA-15(1)-(3) SA-15(5)-(8) SA-15(10)-(12)AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
TVM-01Threat and Vulnerability Management Policy and ProceduresNo GapPM-16 PM-16(1) PM-31 RA-5 SA-11 SA-11(2) SA-11(5) SA-15 SA-15(5) SA-15(8)PartialPartially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready.
TVM-03PriorityVulnerability IdentificationNo GapPM-31 RA-3 RA-3(1) RA-5 RA-5(2)-(4) RA-5(6) SI-3 SI-3(10)AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
TVM-08PriorityVulnerability Remediation ScheduleNo GapRA-2 RA-2(1) SA-11 SA-11(1) SA-15 SA-15(8) SI-2 SI-2(2) SI-3 SI-3(10)AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
A&A-01Audit and Assurance Policy and ProceduresNo GapCA-1PartialPartially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready.
A&A-02PriorityIndependent AssessmentsNo GapCA-2 CA-2(1) CA-2(2) CA-7 CA-7(1)AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
A&A-05PriorityAudit Management ProcessNo GapCA-1 CA-2 PM-4AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
A&A-06PriorityRemediationNo GapCA-5 CA-5(1) PM-4AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
STA-01Supply Chain Risk Management Policies and ProceduresPartial GapSR-1 SR-2 SR-3 SR-5 SA-4 SA-4(1) SA-4(2) SA-4(5) SA-4(9) SA-4(10) PM-30PartialPartially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready.
STA-08Supply Chain InventoryNo GapSR-2 SR-2(1) SR-4 SR-5 SR-5(1) SR-5(2) SR-6PartialPartially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready.
STA-10PrioritySupply Chain Risk ManagementNo GapPM-30 PM-30(1) SR-2 SR-6AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
STA-13PrioritySupply Chain Compliance AssessmentNo GapSA-9 SA-9(1)-(8) SR-2 SR-2(1)AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
BCR-01PriorityBusiness Continuity Management Policy and ProceduresNo GapCP-1 CP-2 PL-2AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
BCR-02PriorityRisk Assessment and Impact AnalysisNo GapCP-2 PM-8 PM-9AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
BCR-08BackupNo GapCP-4 CP-4(4) CP-6 CP-6(1)-(3) CP-9 CP-9(1) CP-9(2) CP-10 CP-10(2) CP-10(4)PartialPartially attested; close the practice gap before treating the NIST SP 800-53 mapping as ready.
BCR-06PriorityBusiness Continuity ExercisesNo GapAT-3 AT-3(3) CP-3 CP-3(1) CP-4 CP-4(4) IR-4 IR-4(3)AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
IPY-01PriorityInteroperability and Portability Policy and ProceduresNo GapPT-2 PT-2(1) PT-3 PT-3(1) SC-1 SA-8 SA-8(8) SC-27 SC-29 SC-29(1)AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
IPY-03PrioritySecure Interoperability and Portability ManagementNo GapPT-2 PT-2(2) SA-4 SC-16 SC-16(3)AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.
IPY-04PriorityData Portability Contractual ObligationsPartial GapPT-2 PT-2(1) PT-3 PT-3(1) PT-4(3) SA-4 SA-4(11) SA-4(12) SI-12 SI-12(3)AbsentCSA maps to NIST SP 800-53, but practice is not attested. Priority for this lens.