NIST SP 800-53

The original intention of the NIST SP 800-53 series framework is to protect the information security of the US federal government. Although it is not a formal statutory standard, it has become a widely recognized framework by the US and international security community. It guides organizations to establish an information security risk management framework and to select and formulate information security control measures.

Based on the 5th edition of NIST SP 800-53, a comprehensive assessment was done on Alibaba Cloud's existing security and privacy control measures, enhancement requirements, and implementation. NIST SP 800-53 contains 20 control security domains (Families) and a total of 1189 control items, of which 1007 remain effective (including 298 basic control items and 709 enhanced control items). This assessment is a comprehensive and complete security control assessment of Alibaba Cloud, especially reflecting the controls related to cloud services. Based on the characteristics and requirements of cloud services, it reflects Alibaba Cloud's existing GRC governance, risk, and compliance status. Alibaba Cloud has established security processes, controls, and tools to provide a secure cloud computing platform.

NIST CSF

The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. It is a voluntary framework that gives businesses an outline of best practices. The framework includes five "functions" which are subdivided into a total of 23 "categories". For each category, it defines a number of subcategories of cybersecurity outcomes and security controls, with 108 subcategories in all.

Alibaba Cloud performed an assessment based on NIST CSF v1.1 focusing on the following key areas:
• Design and effectiveness of Alibaba Cloud’s cybersecurity framework, policies, and standards;
• Cybersecurity defense capabilities and responsiveness; and
• Gaps between current defense capabilities and targeted or desired results.

NIST 800-53 Rev. 5
Security and Privacy Controls for Information Systems and Organizations
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

NIST Cybersecurity Framework
https://www.nist.gov/cyberframework