Skip to main content

Overview

NIST Special Publication 800-53 Revision 5 provides a comprehensive catalog of security and privacy controls for information systems and organizations. Nabla’s automated assessment analyzes your infrastructure-as-code (IaC) to evaluate compliance against key NIST 800-53 controls.

Framework Details

  • Framework: NIST 800-53
  • Version: Revision 5
  • Baseline: Moderate (expandable to Low/High)
  • Output Format: OSCAL Assessment Results (JSON)

Assessed Control Families

Access Control (AC)

ControlTitleAssessment Method
AC-2Account ManagementDetects IAM users, roles, and groups
AC-3Access EnforcementEvaluates IAM policies and security groups
AC-4Information Flow EnforcementAnalyzes network controls (VPCs, subnets, NACLs)
AC-6Least PrivilegeIdentifies overly permissive wildcard (*) policies

Audit and Accountability (AU)

ControlTitleAssessment Method
AU-2Event LoggingDetects CloudTrail, CloudWatch, S3 bucket logging
AU-9Protection of Audit InformationVerifies log storage encryption and versioning

Security Assessment and Authorization (CA)

ControlTitleAssessment Method
CA-7Continuous MonitoringIdentifies CloudWatch alarms, AWS Config, GuardDuty

Configuration Management (CM)

ControlTitleAssessment Method
CM-2Baseline ConfigurationInfrastructure-as-code represents versioned baselines

Contingency Planning (CP)

ControlTitleAssessment Method
CP-9System BackupDetects AWS Backup vaults/plans, database backup retention

Identification and Authentication (IA)

ControlTitleAssessment Method
IA-2Identification and AuthenticationAnalyzes IAM users, roles, Cognito user pools
IA-5Authenticator ManagementDetects access keys, login profiles, Cognito domains

System and Communications Protection (SC)

ControlTitleAssessment Method
SC-7Boundary ProtectionEvaluates security groups, NACLs, VPCs
SC-8Transmission ConfidentialityVerifies HTTPS listeners, S3 encryption in transit
SC-13Cryptographic ProtectionIdentifies KMS keys and encryption mechanisms

System and Information Integrity (SI)

ControlTitleAssessment Method
SI-4System MonitoringDetects CloudWatch, GuardDuty, AWS Config

Evidence Collection

The assessor automatically extracts evidence from your infrastructure resources: 
{
  "evidence": [
    "IAM resource: aws_iam_user.admin",
    "Access control resource: aws_security_group.web_tier",
    "Logging resource: aws_cloudtrail.main",
    "Encryption key: aws_kms_key.data_key"
  ]
}

Compliance Status

Each control is assigned one of three statuses:
  • Satisfied: Required controls are properly configured
  • NotSatisfied: Controls are missing or misconfigured
  • NotApplicable: Control cannot be assessed from IaC

Current Infrastructure Coverage

AWS-First Approach: The current implementation focuses on AWS resources as a starting point. We are actively expanding support for:
  • Azure (azurerm_* resources)
  • Google Cloud Platform (google_* resources)
  • Kubernetes and container infrastructure
  • Multi-cloud architectures
If you have specific resource types you’d like to see supported, please reach out to our team.

Supported AWS Resources

The assessor currently recognizes these AWS resource types: Identity & Access Management
  • aws_iam_user, aws_iam_role, aws_iam_group
  • aws_iam_policy, aws_iam_role_policy, aws_iam_policy_attachment
  • aws_iam_access_key, aws_iam_user_login_profile
  • aws_cognito_user_pool, aws_cognito_user_pool_domain
Networking
  • aws_vpc, aws_subnet, aws_route_table
  • aws_security_group, aws_network_acl
Logging & Monitoring
  • aws_cloudtrail, aws_cloudwatch_log_group, aws_cloudwatch_metric_alarm
  • aws_s3_bucket_logging, aws_flow_log
  • aws_guardduty_detector, aws_config_configuration_recorder
Encryption & Key Management
  • aws_kms_key, aws_kms_alias
  • aws_s3_bucket_server_side_encryption_configuration
Backup & Recovery
  • aws_backup_vault, aws_backup_plan
  • aws_db_instance (backup retention checks)
Load Balancing & Traffic
  • aws_lb_listener, aws_alb_listener

OSCAL Output Structure

Assessment results are returned in OSCAL 1.0.4 format: 
{
  "assessment-results": {
    "uuid": "550e8400-e29b-41d4-a716-446655440000",
    "metadata": {
      "title": "Nabla NIST 800-53 Assessment",
      "version": "1.0.0",
      "oscal-version": "1.0.4"
    },
    "results": [{
      "title": "NIST 800-53 IaC Assessment",
      "observations": [...],
      "findings": [...],
      "reviewed-controls": {
        "control-selections": [{
          "include-controls": [
            { "control-id": "AC-2" },
            { "control-id": "AC-3" }
          ]
        }]
      }
    }]
  }
}

Example Assessment

    curl --request POST \
        --url https://api.usenabla.com/v1/fedramp \
        --header 'Content-Type: application/json' \
        --header 'X-Customer-Key: <x-customer-key>' \
        --data '{
        "name": "<string>",
        "format": "oscal",
        "source_type": "terraform_state",
        "source_content": "<string>",
    }'

Interpreting Results

Satisfied Controls

Controls marked as Satisfied indicate that:
  • Required infrastructure resources are present
  • Security configurations meet baseline requirements
  • Evidence was successfully extracted from IaC

Not Satisfied Controls

Controls marked as NotSatisfied may indicate:
  • Missing security controls (e.g., no CloudTrail logging)
  • Misconfigured resources (e.g., overly permissive IAM policies)
  • Weak cryptographic implementations

Findings

Each finding includes:
  • Control ID: Which control failed
  • Description: What issue was detected
  • Related Observations: Links to specific evidence

Limitations

This automated assessment has important limitations:
  • IaC-Only Analysis: Only evaluates resources defined in Terraform/IaC
  • Runtime Behavior: Cannot assess operational security practices
  • Organizational Controls: Some controls (e.g., security training) require manual assessment
  • AWS-Focused: Currently optimized for AWS resources (expanding to multi-cloud)

Best Practices

  1. Combine with Manual Assessment: Use automated results as a starting point, not a complete assessment
  2. Review Findings: Each finding should be investigated in context of your architecture
  3. Track Over Time: Run assessments regularly to monitor compliance posture
  4. Supplement with Runtime Evidence: Consider integrating runtime security scanning

References