Section navigation
ACanonical DefinitionsBConformance ChecklistCRecord Surface Map TemplateDCustody Surface Map TemplateEConfiguration Exposure MatrixFFeedback Routing TableGAudit Evidence ChecklistHConformance Statement TemplateIIndependent Assessor GuidanceJConformance Model CrosswalkKARCS-to-NIST SP 800-53 CrosswalkLVerification and Attestation ProtocolMLegal and Discovery FrameworkNConduit and Custody ModelOIndustry Framework Comparison

Annex K: ARCS-to-NIST SP 800-53 Crosswalk

This crosswalk maps ARCS control families to NIST SP 800-53 Rev. 5 control families. It is informative and does not establish normative equivalence. The crosswalk is intended to help organizations already operating under SP 800-53 understand where ARCS addresses gaps, complements existing controls, or operates in adjacent domains.

This crosswalk extends the appendix of VCP's NIST Public Comment (Docket NIST-2025-0035, Document No. 2026-00206, filed March 9, 2026), which proposed adaptations to AU, MP, SI, and AC for agentic AI interaction data.

Relationship summary

ARCS does not replace SP 800-53 controls. ARCS operates in the domain of interaction record lifecycle and custody, which SP 800-53 does not specifically address. An organization implementing both would use SP 800-53 for system security and ARCS for interaction record governance. The two frameworks are complementary.

Control family crosswalk

ARCS Family SP 800-53 Family Relationship
ARCS-LIF (Lifecycle) AU-3, AU-11 (Audit) ARCS-LIF governs retention and deletion of interaction records. AU-3/AU-11 govern audit record content and retention. ARCS extends AU by distinguishing deliberative content from operational telemetry and by requiring the operator to define lifecycle posture rather than defaulting to platform retention.
ARCS-LIF (Lifecycle) MP-6 (Media Sanitization) ARCS-LIF governs deletion including volatile memory and ephemeral execution environments. MP-6 addresses media sanitization for persistent storage. ARCS extends MP-6 to cover RAM, container volumes, caches, and transient agent execution contexts.
ARCS-CUS (Custody) CM-8 (System Component Inventory) ARCS-CUS maps the custody surface: all locations where interaction records exist. CM-8 inventories system components. ARCS extends CM-8 by requiring inventory of record-bearing components specifically, including vendor systems outside operator infrastructure.
ARCS-CUS (Custody) SA-9 (External System Services) ARCS-CUS governs vendor custody including third-party retention, deletion, and preservation behavior. SA-9 governs external service agreements. ARCS extends SA-9 by requiring disclosure of vendor record behavior, not just service-level agreements.
ARCS-TAX (Taxonomy) AU-3 (Audit Record Content) ARCS-TAX classifies interaction records by type and sensitivity. AU-3 specifies audit record content. ARCS extends AU-3 by requiring classification of deliberative versus operational content and by supporting content-telemetry separation.
ARCS-OPB (Operator Boundary) CA-3 (System Interconnections) ARCS-OPB defines the operator's governance boundary. CA-3 governs interconnections. ARCS extends CA-3 by requiring the operator to determine which systems are within the governance boundary based on record behavior, not just network topology.
ARCS-PUB (Publish Boundary) AC-4 (Information Flow) ARCS-PUB governs when records leave the governed environment. AC-4 governs information flow. ARCS extends AC-4 by requiring governance of exported interaction records including derivative retention and post-publish lifecycle.
ARCS-NCR (Non-Creation) MP-6, SI-12 (Data Management) ARCS-NCR governs non-creation and non-retention posture. No direct SP 800-53 equivalent exists for auditable non-creation of specific record classes. ARCS fills this gap by defining how operators document and verify that specific record types are never created.
ARCS-PV (Preservation) AU-11 (Audit Record Retention) ARCS-PV governs preservation override (litigation hold, regulatory hold). AU-11 governs audit retention periods. ARCS extends AU-11 by requiring preservation procedures that suspend normal deletion and by requiring multi-vendor preservation coordination.
ARCS-VER (Verification) CA-2 (Security Assessments) ARCS-VER governs verification and attestation of lifecycle controls. CA-2 governs security assessment. ARCS extends CA-2 by requiring periodic verification that retention, deletion, and custody controls operate as documented.
ARCS-AGT (Agent Runtime) AU-3, SI-7, AC-3, MP-6 ARCS-AGT governs agent-specific artifact classes. Maps to the four SP 800-53 adaptations proposed in VCP's NIST comment: AU-3 for telemetry decoupling, MP-6 for ephemeral sanitization, SI-7 for memory boundary isolation, AC-3 for gated retrieval of retained interaction logs.
ARCS-DEL (Delegation and Memory) AC-3, SI-7, AU-11 ARCS-DEL governs governed persistence, delegation chains, and autonomous execution. Maps to AC-3 for delegation scope control, SI-7 for memory boundary integrity across sessions, and AU-11 for governed-persistence retention periods.

Key finding

The NIST filing's proposed SP 800-53 adaptations (AU-3 telemetry decoupling, MP-6 ephemeral sanitization, SI-7 memory boundary isolation, AC-3 gated retrieval) each have a corresponding ARCS control family or specific control. ARCS provides the governance-layer specification; SP 800-53 adaptations provide the security-layer implementation requirements. An organization satisfying the NIST-proposed SP 800-53 adaptations and ARCS controls together would have both the security architecture and the governance documentation required for defensible interaction record management.

Scope note

This crosswalk covers the relationship between ARCS and SP 800-53 Rev. 5 specifically. ARCS also has relationships to ISO 27001, ISO 42001, NIST AI RMF, EU AI Act, GDPR/CCPA/HIPAA, and SOC 2. Those crosswalks are addressed in separate context and instrument documents.