ARCS/Crosswalks/ARCS / NIST SP 800-53 Crosswalk
ARCS / NIST SP 800-53 Rev. 5
Overview
NIST SP 800-53 Rev. 5 provides a catalog of security and privacy controls for information systems and organizations across multiple families including access control, audit, incident response, media protection, and system integrity.
ARCS is a separate lifecycle-governance standard for the records AI systems create. This crosswalk identifies bounded points at which ARCS control families relate to selected SP 800-53 families within interaction-record governance.
Interpretive status
This instrument is an informative crosswalk prepared at the control-family level. It identifies which ARCS families are most closely aligned with the governance purpose of each selected NIST family, with emphasis on retained records, custody visibility, preservation, inspectability, access boundaries, and response handling.
ARCS relevance
Where SP 800-53 governs security and privacy controls around systems and information, ARCS governs the lifecycle status of interaction records: what they are, where they reside, who controls them, how long they persist, whether preservation applies, and whether lifecycle claims are verifiable.
Framework scope
Table A maps selected SP 800-53 Rev. 5 control families to ARCS control families at the theme level. It focuses on six families most relevant to interaction-record governance: Audit and Accountability, Assessment and Monitoring, Incident Response, Access Control, Media Protection, and System Integrity.
| Family | Category / Theme | ARCS Families | Alignment |
|---|---|---|---|
| AU | Audit event generation and record creation | Strong | |
| AU | Audit record retention and protection | Strong | |
| AU | Audit review, analysis, and reporting | Moderate | |
| CA | Control assessment and verification | Strong | |
| CA | Continuous monitoring of record-governance posture | Strong | |
| IR | Incident record preservation and handling | Strong | |
| IR | Incident reporting and evidence retention | Moderate | |
| AC | Access enforcement and custody boundaries | Moderate | |
| AC | Information flow and record disclosure control | Moderate | |
| MP | Media storage, transport, and sanitization | Strong | |
| MP | Media marking and record classification | Strong | |
| SI | System monitoring and record integrity | Moderate | |
| SI | Information integrity at the runtime-to-record boundary | Moderate |
Selected mappings
Selected NIST SP 800-53 controls for which ARCS has a clear and bounded relationship. Controls addressing identity management, encryption, physical security, personnel security, and other domains outside ARCS scope are omitted.
AU: Audit and Accountability
AU is the closest 800-53 family to evidentiary records, reviewable event history, and accountable system activity. In ARCS terms, that aligns most directly with verification, preservation, custody definition, and operator-boundary handling of governed records. Alignment is strongest where logs, receipts, review artifacts, and retained interaction traces become governed records.
| Control | 800-53 Requirement | ARCS Controls | Fit | Note |
|---|---|---|---|---|
| AU-2 | Event logging. | ARCS-LIF (LIF-01 to LIF-04), ARCS-TAX (TAX-01 to TAX-03) | Strong | ARCS supports this where AI interaction records must be classified and assigned lifecycle rules at the point of creation. |
| AU-3 | Content of audit records. | ARCS-TAX (TAX-01 to TAX-03), ARCS-LIF (LIF-01 to LIF-04) | Strong | ARCS supports this where governed records must contain sufficient content for later classification, custody assignment, and verification. |
| AU-6 | Audit record review, analysis, and reporting. | ARCS-VER (VER-01 to VER-03), ARCS-LIF (LIF-08) | Moderate | ARCS contributes where review and reporting must include lifecycle posture, custody claims, and verification of retention or deletion state. |
| AU-9 | Protection of audit information. | ARCS-PV (PV-01 to PV-07), ARCS-CUS (CUS-01 to CUS-04) | Strong | ARCS supports audit record protection where preservation obligations override deletion, and custody must be documented across each vendor surface. |
| AU-11 | Audit record retention. | ARCS-LIF (LIF-01 to LIF-04), ARCS-TAX (TAX-01 to TAX-03), ARCS-NCR (NCR-01 to NCR-06) | Strong | ARCS supports this directly. Retention-tier classification, documented lifecycle rules, and non-creation posture verification are core ARCS obligations. |
| AU-12 | Audit record generation. | ARCS-LIF (LIF-01 to LIF-04), ARCS-AGT (AGT-01 to AGT-05) | Strong | ARCS supports the shift from runtime events to durable, governed record creation, including agent tool-call surfaces. |
CA: Assessment, Authorization, and Monitoring
CA is about testing, authorization posture, and continuous monitoring of control effectiveness. In ARCS, that aligns with verification, inspectability, and the ability to assess whether record handling, retention, and custody conditions remain governable over time. This is one of the strongest families for explaining ARCS as a lifecycle-governance complement within existing security control programs.
| Control | 800-53 Requirement | ARCS Controls | Fit | Note |
|---|---|---|---|---|
| CA-2 | Control assessments. | ARCS-VER (VER-01 to VER-07), ARCS-CUS (CUS-01 to CUS-04) | Strong | ARCS supports control assessment where lifecycle and custody claims are testable, and where vendor governance declarations must be verified. |
| CA-5 | Plan of action and milestones. | ARCS-VER (VER-01 to VER-03), ARCS-LIF (LIF-08) | Moderate | ARCS contributes where custody or preservation gaps need a documented remediation track. |
| CA-7 | Continuous monitoring. | ARCS-VER (VER-01, VER-02), ARCS-LIF (LIF-08), ARCS-CUS (CUS-01 to CUS-04) | Strong | ARCS supports continuous monitoring where ongoing observation must include lifecycle state, deletion state, custody surface changes, and vendor posture. |
IR: Incident Response
IR depends on the ability to locate, preserve, classify, and use relevant records during response and post-incident review. In ARCS terms, the closest overlap is custody visibility, preservation integrity, and boundary-aware handling of records that become material during investigation or recovery. The taxonomy link matters because response workflows often depend on what kind of record has been generated or retained.
| Control | 800-53 Requirement | ARCS Controls | Fit | Note |
|---|---|---|---|---|
| IR-4 | Incident handling. | ARCS-PV (PV-01 to PV-07), ARCS-LIF (LIF-01 to LIF-04), ARCS-CUS (CUS-01 to CUS-04) | Strong | ARCS supports incident handling where AI interaction records must be preserved, custody must be documented, and deletion must be suspended during investigation. |
| IR-5 | Incident monitoring. | ARCS-VER (VER-01 to VER-03), ARCS-CUS (CUS-01 to CUS-04) | Moderate | ARCS contributes where monitoring artifacts later become part of the governed record surface. |
| IR-6 | Incident reporting. | ARCS-VER (VER-01 to VER-03), ARCS-PV (PV-01 to PV-03) | Moderate | ARCS contributes where incident reporting must include record lifecycle state, custody chain, and preservation status. |
| IR-8 | Incident response plan. | ARCS-PV (PV-01 to PV-07), ARCS-CUS (CUS-01 to CUS-04), ARCS-OPB (OPB-01, OPB-03) | Moderate | ARCS contributes where record preservation and custody handling need to be built into response planning. |
AC: Access Control
AC governs who can access systems and data, under what conditions, and through what restrictions. In ARCS, the closest overlap is control of access to governed records across operator, publication, and disclosure boundaries rather than general runtime authorization. The ARCS overlap is sharper at the record boundary than at the full identity-and-session layer of system access control.
| Control | 800-53 Requirement | ARCS Controls | Fit | Note |
|---|---|---|---|---|
| AC-2 | Account management. | ARCS-OPB (OPB-01, OPB-03), ARCS-CUS (CUS-01 to CUS-04) | Moderate | ARCS contributes where administrative access boundaries must account for custody stewardship of governed records. |
| AC-3 | Access enforcement. | ARCS-CUS (CUS-01 to CUS-04), ARCS-PUB (PUB-01 to PUB-04) | Moderate | ARCS contributes where record access must be restricted at the operator or publication boundary. |
| AC-4 | Information flow enforcement. | ARCS-PUB (PUB-01 to PUB-06), ARCS-CUS (CUS-01 to CUS-04), ARCS-AGT (AGT-01 to AGT-05) | Moderate | ARCS contributes where boundary-sensitive movement of records across systems, agents, or contexts requires governance. |
MP: Media Protection
MP addresses how information-bearing media are stored, transported, sanitized, and disposed of. In ARCS terms, that maps most naturally to preservation duties, custody treatment, and taxonomy-driven handling rules for retained records and artifacts. This is one of the more concrete bridges between traditional information handling and ARCS preservation logic. Taxonomy matters here because handling requirements often depend on record class and retention significance.
| Control | 800-53 Requirement | ARCS Controls | Fit | Note |
|---|---|---|---|---|
| MP-2 | Media access. | ARCS-CUS (CUS-01 to CUS-04), ARCS-OPB (OPB-01, OPB-03) | Moderate | ARCS contributes where media access controls must account for custody boundaries and operator scope for AI interaction records. |
| MP-3 | Media marking. | ARCS-TAX (TAX-01 to TAX-03), ARCS-LIF (LIF-01 to LIF-04) | Strong | ARCS supports this where record classification and lifecycle state labeling extend to AI interaction artifacts. |
| MP-5 | Media transport. | ARCS-PUB (PUB-01 to PUB-06), ARCS-CUS (CUS-01 to CUS-04) | Moderate | ARCS contributes where records move between custodians, systems, or controlled areas. |
| MP-6 | Media sanitization. | ARCS-LIF (LIF-05 to LIF-07, LIF-12, LIF-13), ARCS-VER (VER-01 to VER-03) | Strong | ARCS supports sanitization verification where deletion claims must be architecturally verified, including vendor deletion verifiability and precluded deletion analysis. |
SI: System and Information Integrity
SI is concerned with integrity and the detection of compromised or anomalous information conditions. In ARCS, the strongest overlap is the integrity and trustworthiness of governed records at the runtime-to-record boundary, especially where system outputs, traces, or transformed artifacts must remain inspectable and attributable. The alignment is narrower than AU or CA because ARCS is not a general integrity control catalog; the strongest bridge is where integrity failure affects evidentiary or governance value of records.
| Control | 800-53 Requirement | ARCS Controls | Fit | Note |
|---|---|---|---|---|
| SI-4 | System monitoring. | ARCS-VER (VER-01 to VER-03), ARCS-LIF (LIF-08), ARCS-CUS (CUS-01 to CUS-04) | Moderate | ARCS contributes where monitoring artifacts enter the governed record surface and require lifecycle classification. |
| SI-7 | Software, firmware, and information integrity. | ARCS-VER (VER-01 to VER-07) | Moderate | ARCS contributes where the integrity of governed artifacts is part of verification and the evidentiary chain. |
Outside scope
This crosswalk is thematic and non-substitutive. It does not assert that ARCS satisfies NIST SP 800-53 controls, nor that NIST SP 800-53 addresses the full lifecycle record-governance scope addressed by ARCS. Families are aligned at the level of governance focus, custody implications, and control intent.
NIST SP 800-53 addresses a far broader security and privacy control landscape than ARCS. ARCS does not replace baseline security controls, identity architecture, incident response procedures, system hardening, encryption requirements, physical security, personnel security, or broad audit requirements. Its contribution is narrower. It governs custody chains, lifecycle states, retention posture, deletion posture, preservation status, and verification obligations for records created during AI system use.
The omission is structural rather than accidental. Where 800-53 assumes that records exist and governs how they are protected, ARCS governs the lifecycle of those records: whether they should exist, how long they persist, who controls them, and whether governance claims are verifiable.
ARCS also governs several record-lifecycle domains outside NIST SP 800-53 coverage:
Record retention as discovery exposure
ARCS-LIF (LIF-01 to LIF-04, LIF-08, LIF-12, LIF-13), ARCS-TAX (TAX-01 to TAX-03)
NIST SP 800-53 governs audit record retention (AU-11) but does not address the broader legal consequences of retained AI interaction records. ARCS governs retention-tier classification, deletion verifiability, and the relationship between record persistence and discovery exposure.
Multi-vendor custody chain mapping
ARCS-CUS (CUS-01 to CUS-12), ARCS-VER (VER-01 to VER-03)
NIST SP 800-53 addresses external system services (SA-9) and supply chain controls (SR family), but does not require mapping record custody across vendor boundaries or documenting possession, control, access, and deletion authority at each custodian surface. ARCS requires this mapping.
Non-creation claim verification
ARCS-NCR (NCR-01 to NCR-06), ARCS-VER (VER-01, VER-02)
NIST SP 800-53 does not address cases in which an operator claims that records are neither created nor retained. ARCS requires that non-creation claims be architecturally verified. Claims that cannot survive review are prohibited under the standard.
Preservation and legal hold for AI records
ARCS-PV (PV-01 to PV-07), ARCS-CUS (CUS-01 to CUS-04)
NIST SP 800-53 includes continuity and recovery controls, but it does not provide a dedicated lifecycle-governance framework for preservation triggers, legal hold procedures, or coordinated hold communication across distributed AI record surfaces. ARCS governs these directly.
Agent tool-use and downstream record surfaces
ARCS-AGT (AGT-01 to AGT-13), ARCS-CUS (CUS-11)
NIST SP 800-53 does not separately govern the record-lifecycle consequences of agent tool use. ARCS requires runtime component enumeration and addresses authorization-gap custody where agent actions create records without explicit human authorization.