Skip to content
GOVERN Admin

NIST 800-53 Control Mapping

GOVERN implements NIST SP 800-53 Rev 5 controls as part of its federal deployment configuration. This page documents GOVERN’s control implementations and shared responsibilities.

Control Family Summary

FamilyControls ImplementedCoverage
AC — Access Control25Full
AU — Audit & Accountability16Full
CA — Assessment & Authorization9Partial
CM — Configuration Management14Full
CP — Contingency Planning13Partial
IA — Identification & Auth13Full
IR — Incident Response10Partial
MA — Maintenance6Partial
MP — Media Protection8Partial
PE — Physical & Environmental20Customer
PL — Planning11Partial
PM — Program Management32Partial
PS — Personnel Security9Customer
RA — Risk Assessment10Full
SA — System & Services Acq23Partial
SC — System & Comm Protection51Full
SI — System & Info Integrity23Full

Selected Control Implementations

AC-2: Account Management

Implementation: GOVERN provides a full user account lifecycle management system:

  • Account provisioning with approval workflow
  • Role-based access control (RBAC) with least privilege
  • Account review dashboard (quarterly review reminders)
  • Automatic account suspension after 90 days of inactivity
  • Account termination workflow with access revocation evidence

AC-17: Remote Access

Implementation:

  • All remote access requires MFA (CAC/PIV or TOTP for non-federal)
  • Session tokens expire after 8 hours
  • Concurrent session limits per user role
  • Remote access audit trail captures IP, device, and session duration

AU-2: Event Logging

Implementation: GOVERN logs the following event types:

Authentication events (success, failure, MFA)
Authorization decisions (allow, deny, escalate)
AI system assessments (score changes, policy violations)
Alert lifecycle (create, acknowledge, escalate, resolve)
Configuration changes (all admin actions)
Data access (sensitive AI system data exports)

AU-9: Protection of Audit Information

Implementation:

  • Audit logs stored in separate, immutable log store
  • Write-once storage (logs cannot be modified or deleted)
  • Cryptographic integrity verification (SHA-256 chaining)
  • Log export to separate SIEM (logs survive GOVERN compromise)
  • Access to raw audit logs restricted to audit_admin role

IA-2: Identification and Authentication (Multi-Factor)

Implementation:

  • CAC/PIV required for all federal deployments
  • Username/password authentication disabled at the Helm values level
  • MFA enforcement cannot be bypassed without Helm re-deployment
  • Failed authentication lockout: 3 attempts → 15-minute lockout

SC-8: Transmission Confidentiality and Integrity

Implementation:

  • TLS 1.2 minimum (TLS 1.3 preferred)
  • FIPS 140-2 validated cipher suites only
  • HSTS with 1-year max-age
  • Certificate pinning for internal API communication

SI-3: Malicious Code Protection

Implementation:

  • Container images scanned before deployment (Trivy)
  • Runtime security monitoring (Falco in federal deployments)
  • GOVERN API inputs sanitized and validated
  • AI system outputs scanned for prompt injection artifacts

OSCAL Export

GOVERN can export its control implementation statements in NIST OSCAL (Open Security Controls Assessment Language) format for use in automated compliance workflows:

Terminal window
govern compliance export \
  --framework nist-800-53 \
  --baseline high \
  --format oscal-json \
  --output ssp-oscal.json

See OSCAL Export for full documentation.