NIST SP 800-53 Rev 5

Security and privacy controls for federal information systems. Baseline for FedRAMP, DoD, and regulated US industries. The most granular US control catalog.

Federal agencies, defense contractors, FedRAMP ISVs

14

control domains mapped

32

products applicable

6

other frameworks cross-mapped

Official doc

NIST SP 800-53 Rev 5

IA-2(6) Identification and Authentication — Network Access — MFA

Phishing-resistant MFA using hardware security keys. Software TOTP and SMS are explicitly excluded from "phishing-resistant" in NIST 800-63B and most modern framework guidance.

SC-7 Boundary Protection

Stateful firewall with IPS at the network perimeter. All inbound/outbound traffic inspected with Suricata rule sets. VPN gateway replaces consumer VPN dependency.

Products that satisfy this control:

SC-42 Sensor Capability and Data

Intel Management Engine disabled at the firmware level across every open-firmware machine we carry (NitroPad, NitroPC, PrivacyGuard, SecurityTitan); SecurityTitan models go further — camera and microphone physically removed, anti-tamper seals verified by Heads + Nitrokey attestation. Least functionality, enforced in hardware.

PE-3 Physical Access Control

Rated safes and vaults protect physical assets, documents, and hardware backups with UL-certified burglary ratings — from UL 1037 RSC (residential) up to UL 687 TL-15/TL-30 vault-grade for insurance-mandated or enterprise specialty storage (the tier insurers and auditors recognize; see the ratings ladder on /safe). SecurityTitan laptops extend physical protection to devices in transit: glitter-sealed tamper-evident screws with photographic verification make case intrusion detectable.

MP-4 Media Storage — physically control and securely store media

UL 72 fire-rated safes keep interiors under 350°F through 30-minute to 4-hour furnace exposure — plus explosion and 30-foot drop tests — so original records, storage media, seed-phrase plates, and offline backups survive a facility fire. Distinct from burglary protection: enterprises with records-retention or continuity obligations typically need BOTH ratings on one unit (dual-rated Gardall UL line or TL-rated composite safes — see /safe).

Products that satisfy this control:

CP-11 Alternate Communications Protocols

Encrypted LoRa mesh radios (Meshtastic / MeshCore / Reticulum) move text and GPS with no cellular, WiFi, internet, or subscription — every node relays for every other, on FCC Part 15 unlicensed 915 MHz spectrum. The out-of-band channel for disaster response, incident communications when primary networks are down or untrusted, remote sites, and executive contingency plans.

Products that satisfy this control:

PE-19 Information Leakage (emanations security)

MIL-STD 188-125 / IEEE 299-tested Faraday shielding (80+ dB) physically severs every radio — cellular/5G, WiFi, Bluetooth, GPS, RFID, NFC — so devices cannot be tracked, remotely wiped, or exfiltrated over RF. Covers executive travel through hostile networks, forensic chain-of-custody transport (a seized phone that must not phone home), and anti-relay protection for keyless-entry fobs.

Products that satisfy this control: