heygrc
NIST 800-53 in code

NIST 800-53, reviewed in the pull request.

NIST SP 800-53 is a large catalog, organized into control families, and underneath many other frameworks. Most of it is process and governance. A specific slice, least-privilege access, audit generation, authentication, the system and communications protection family, is implemented in code, and those are the controls a review can hold the line on as the system changes.

Get early accessby ISMS Copilot
One catalog, many frameworks downstream

Catch it once, where several frameworks point back.

800-53 is the control catalog a lot of other regimes map to, so a change that trips a technical control here usually corresponds to an obligation in whatever framework your program actually reports against. A weakened SC-8 protection is the same weakened transmission control your other frameworks care about. heygrc reads the change against the control family it touches and cites the control, so the fix lands at the diff, where it is cheapest to make.

Controls that surface in a diff

The 800-53 controls a review can actually catch.

Each row is a real control reference and the kind of change that trips it. heygrc cites the control on the finding, not a vague posture note.

  • AC-6least privilege

    A role, policy, or grant broadens beyond what a component needs, or a scope check is dropped so a path reaches more than its function requires.

  • AU-12audit record generation

    A change removes or narrows the generation of audit records for a security-relevant event, so the action no longer produces a log.

  • IA-2identification and authentication

    A multi-factor check is skipped on a path, an authentication step is bypassed, or a session is given a much longer lifetime that weakens it.

  • SC-8transmission confidentiality and integrity

    A TLS floor drops, certificate verification is disabled, or sensitive data starts crossing a link on a channel that is no longer protected in transit.

  • SC-28protection of information at rest

    An encryption-at-rest setting is removed or downgraded, or sensitive data lands in a new store with no protection configured.

  • SI-10information input validation

    Validation or sanitization of untrusted input is removed or weakened, opening a path to injection or malformed-input handling.

  • CM-7least functionality

    An insecure capability is enabled by default, a debug or admin surface is exposed, or a port or feature that was disabled is turned back on.

Worked example

A dropped TLS floor that weakens SC-8.

A pull request makes an internal service-to-service call work in a new environment by skipping certificate verification. Sensitive data now crosses that link without a protected channel.

clients/http.ts+1 −0
const agent = new https.Agent({
+  rejectUnauthorized: false,  // unblock the staging cert  keepAlive: true,
})
heygrcNIST 800-53 SC-8

Disabling certificate verification means the connection is no longer authenticated, so the transmission can be intercepted or redirected. SC-8 (transmission confidentiality and integrity) expects data in transit to be protected. Fix the staging trust chain (add the CA) rather than turning off verification, and keep the check on in every environment.

What this is, and is not

A review, not an authorization.

heygrc flags changes that touch an 800-53 control and cites the control so the fix happens in the pull request. It does not produce your System Security Plan, run your assessment, or grant an authorization to operate. It catches the change early so a technical control holds in code review instead of becoming an assessment finding. heygrc is in early access.

Get early access← All frameworks