NIST 800-53 Control Files

Architecture

products/rhel8/controls/
├── nist_800_53.yml              # RHEL8-specific metadata
└── nist_800_53/                 # RHEL8-specific family files (NO guards)
    ├── ac.yml                   # Only rules available in rhel8
    ├── au.yml
    └── ... (21 family files)

products/rhel9/controls/
├── nist_800_53.yml              # RHEL9-specific metadata
└── nist_800_53/                 # RHEL9-specific family files (NO guards)
    ├── ac.yml                   # Only rules available in rhel9
    ├── au.yml
    └── ... (21 family files)

products/rhel10/controls/
├── nist_800_53.yml              # RHEL10-specific metadata
└── nist_800_53/                 # RHEL10-specific family files (NO guards)
    ├── ac.yml                   # Only rules available in rhel10
    ├── au.yml
    └── ... (21 family files)

Benefits of Product-Specific Controls

✅ Cleaner files - No Jinja2 conditional logic
✅ Better separation - Each product can evolve independently
✅ Easier to read - No guards cluttering the rule lists
✅ No build errors - No NoneType errors from guards evaluating to None
✅ Smaller files - Only rules that actually apply to the product

File Structure

Product-Specific Control Files

Each product has its own dedicated NIST 800-53 control files:

Metadata File: products/{product}/controls/nist_800_53.yml

policy: NIST 800-53 Revision 5
title: NIST Special Publication 800-53 Revision 5
id: nist_800_53
version: Revision 5
product: rhel9                    # Product-specific
controls_dir: nist_800_53         # Points to family files
levels:
  - id: low
  - id: moderate
  - id: high

Family Files: products/{product}/controls/nist_800_53/*.yml (21 files)

Example: products/rhel9/controls/nist_800_53/au.yml

# NIST 800-53 AU Family: Audit and Accountability
controls:
  - id: au-2
    title: Event Logging
    levels:
      - low
      - moderate
      - high
    rules:
      - aide_build_database
      - aide_periodic_cron_checking
      - audit_rules_execution_chacl
      # ... only rules available in rhel9
    status: automated

OSCAL Metadata

OSCAL metadata (description, parameters, guidance, related_controls) is NOT included in control files to keep them lean and focused on rule mappings.

How to retrieve OSCAL metadata:

Direct from NIST OSCAL Catalog: Download from NIST OSCAL
On-demand retrieval: Web application or API can load the OSCAL JSON catalog and extract metadata by control ID
Build-time enrichment: If needed for documentation, retrieve during build process

Benefits:

Control files stay small (~50-200 lines per family vs. thousands)
OSCAL data retrieved from authoritative source (NIST catalog)
No duplication across products
Updates to OSCAL catalog don’t require regenerating control files

Reference Files (Auto-Generated)

Reference files are auto-generated weekly for comparison:

shared/references/controls/
├── nist_800_53_cis_reference_rhel8.yml
├── nist_800_53_cis_reference_rhel8/    # 21 family files
│   ├── ac.yml
│   ├── au.yml
│   └── ...
├── nist_800_53_cis_reference_rhel9.yml
├── nist_800_53_cis_reference_rhel9/    # 21 family files
├── nist_800_53_cis_reference_rhel10.yml
└── nist_800_53_cis_reference_rhel10/   # 21 family files

Purpose: Generated from CIS benchmark + NIST OSCAL for comparison
Maintained By: 🤖 Weekly automation (DO NOT edit manually)
Usage: Compare with product control files to detect changes

Control File Content

Each control entry contains:

- id: au-2                        # NIST control ID
  title: Event Logging            # Control title
  levels:                         # Baseline applicability
    - low
    - moderate
    - high
  rules:                          # Rules that implement this control
    - var_audit_backlog_limit=8192
    - aide_build_database
    - audit_rules_execution_chacl
  status: automated               # automated | manual | pending

Field Descriptions:

id: NIST 800-53 control identifier (lowercase)
title: Short descriptive title from NIST catalog
levels: LOW/MODERATE/HIGH baseline applicability
rules: Rule IDs and variable assignments that implement the control
status:
- automated - Has rules/checks
- pending - No rules yet
- manual - Requires manual verification

How Profiles Use Control Files

Product profiles reference their own NIST control files:

Profile: products/rhel9/profiles/cis_nist.profile

selections:
  - nist_800_53:all    # References products/rhel9/controls/nist_800_53.yml

The build system automatically:

Loads products/rhel9/controls/nist_800_53.yml metadata
Reads controls_dir: nist_800_53 field
Loads all .yml files from products/rhel9/controls/nist_800_53/
Merges into single control tree
Expands nist_800_53:all to include all rules from all controls

Generating Control Files

Control files are generated using the NIST sync toolkit:

cd utils/nist_sync

# Generate reference files for all products
./generate_cis_nist_workflow.sh

# Generate for specific product
python3 sync_nist_split.py --product rhel9

# Copy reference to product directory
cp shared/references/controls/nist_800_53_cis_reference_rhel9.yml \
   products/rhel9/controls/nist_800_53.yml
cp -r shared/references/controls/nist_800_53_cis_reference_rhel9/* \
   products/rhel9/controls/nist_800_53/

See utils/nist_sync/README.md for details.

Workflow

Weekly Automated Sync

Every Sunday at 2 PM UTC, GitHub Actions:

Downloads latest NIST OSCAL catalog
Generates product-specific reference files for rhel8, rhel9, rhel10
Compares with previous version
Creates PR if changes detected

Reference files updated automatically. Product control files require manual review.

Manual Updates

To update product control files:

# 1. Generate reference files
cd utils/nist_sync
./generate_cis_nist_workflow.sh

# 2. Compare reference vs. product files
diff -ur shared/references/controls/nist_800_53_cis_reference_rhel9/ \
         products/rhel9/controls/nist_800_53/

# 3. Review differences and manually update if needed
vim products/rhel9/controls/nist_800_53/au.yml

# 4. Test build
./build_product rhel9 --datastream-only

# 5. Commit changes
git add products/rhel9/controls/nist_800_53/
git commit -m "Update RHEL9 NIST 800-53 controls"

Family Breakdown

Family	Name	Controls	Description
AC	Access Control	147	User access, permissions, least privilege
AT	Awareness and Training	17	Security awareness, role-based training
AU	Audit and Accountability	69	Logging, monitoring, audit records
CA	Assessment, Authorization, Monitoring	32	Security assessments, continuous monitoring
CM	Configuration Management	66	Baseline configs, change control
CP	Contingency Planning	56	Backup, disaster recovery, continuity
IA	Identification and Authentication	74	User authentication, MFA, credentials
IR	Incident Response	42	Incident handling, response procedures
MA	Maintenance	30	System maintenance, tools, personnel
MP	Media Protection	30	Removable media, sanitization, disposal
PE	Physical and Environmental Protection	59	Physical access, environmental controls
PL	Planning	17	Security planning, architecture
PM	Program Management	37	Program-level controls, governance
PS	Personnel Security	18	Background checks, termination procedures
PT	PII Processing and Transparency	21	Privacy, personally identifiable information
RA	Risk Assessment	26	Vulnerability scanning, risk analysis
SA	System and Services Acquisition	147	SDLC, supply chain, developer controls
SC	System and Communications Protection	162	Network security, encryption, boundaries
SI	System and Information Integrity	119	Malware protection, security alerts
SR	Supply Chain Risk Management	27	Supply chain security, provenance
OTHER	CIS Items Without NIST Mapping	102	CIS rules not explicitly mapped to NIST

Total: 1,196 NIST controls + 102 unmapped CIS items = 1,298 total controls

References

NIST OSCAL: https://pages.nist.gov/OSCAL/
NIST 800-53 Rev 5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks
Sync Toolkit: utils/nist_sync/README.md
GitHub Workflow: .github/workflows/cis-nist-sync.yml