🔄 NIST 800-53 CIS Reference Update (2026-04-10)

[github-actions]

Summary

This automated PR updates the CIS reference file showing the latest CIS→NIST mappings.

⚠️ MANUAL ACTION REQUIRED

This PR only updates the reference file for comparison.

You must manually review the changes and update controls/nist_800_53.yml accordingly:

1. Review the diff in this PR to see what changed in CIS mappings
2. Manually apply relevant changes to controls/nist_800_53/*.yml (split by family)
3. Preserve any human-added rules, guards, or notes in the real files
4. Commit your manual updates to the real control files in this PR

Changes

• +0/-5 lines modified in CIS reference files
• Metadata file: shared/references/controls/nist_800_53_cis_reference.yml
• Family files: shared/references/controls/nist_800_53_cis_reference/*.yml (21 families)

File Roles

File	Purpose	Maintained By
shared/references/controls/nist_800_53_cis_reference.yml	Reference metadata file	🤖 Automation
shared/references/controls/nist_800_53_cis_reference/*.yml	Reference family files (for comparison)	🤖 Automation
controls/nist_800_53.yml	Real metadata file	👤 Humans
controls/nist_800_53/*.yml	Real family files (source of truth)	👤 Humans

How Profiles Work

• CIS-NIST profiles inherit from: nist_800_53:all (real control files)
• Reference files contain Jinja2 guards for product-specific rules
• Reference files used for weekly comparison to detect CIS mapping changes

Details

• Triggered by: Manual workflow dispatch
• Date: 2026-04-10 13:07:45 UTC
• OSCAL Source: NIST SP 800-53 Rev 5

Review Checklist

• Review CIS mapping changes (additions/removals)
• Identify which changes apply to the real control files
• Manually update controls/nist_800_53/*.yml with relevant changes
• Preserve existing human edits and Jinja2 guards
• Commit manual updates to this PR
• Run validation tests

How to Apply Changes

# 1. Check out this PR branch
gh pr checkout auto-update-nist-800-53-20260410-130744

# 2. Review the diff in the reference files (by family)
git diff origin/master...HEAD -- shared/references/controls/nist_800_53_cis_reference/

# 3. For each changed family, review and apply to real files
# Example: if ac.yml changed:
git diff origin/master...HEAD -- shared/references/controls/nist_800_53_cis_reference/ac.yml
vim controls/nist_800_53/ac.yml  # Manually apply relevant changes

# 4. Commit your changes
git add controls/nist_800_53/
git commit -m "Manually apply CIS mapping updates to nist_800_53 family files"
git push

🤖 Generated with GitHub Actions

[github-actions]

Detailed Changes in CIS Reference Files

Changed Family Files

cm.yml
other.yml

📄 Metadata file diff (nist_800_53_cis_reference.yml)

📁 Family files diff (all changed families)

diff --git a/shared/references/controls/nist_800_53_cis_reference/cm.yml b/shared/references/controls/nist_800_53_cis_reference/cm.yml
index fac433495e..ad67451f6b 100644
--- a/shared/references/controls/nist_800_53_cis_reference/cm.yml
+++ b/shared/references/controls/nist_800_53_cis_reference/cm.yml
@@ -64,7 +64,6 @@ controls:
       - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
       - sysctl_net_ipv4_tcp_syncookies_value=enabled
       - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
-      - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
       - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
       - sysctl_net_ipv6_conf_all_forwarding_value=disabled
       - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
@@ -139,7 +138,6 @@ controls:
       - sysctl_net_ipv4_ip_forward
       - sysctl_net_ipv4_tcp_syncookies
       - sysctl_net_ipv6_conf_all_accept_ra
-      - sysctl_net_ipv6_conf_all_accept_redirects
       - sysctl_net_ipv6_conf_all_accept_source_route
       - sysctl_net_ipv6_conf_all_forwarding
       - sysctl_net_ipv6_conf_default_accept_ra
@@ -661,7 +659,6 @@ controls:
       - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
       - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
       - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
-      - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
       - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
       - sysctl_net_ipv6_conf_all_forwarding_value=disabled
       - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
@@ -780,7 +777,6 @@ controls:
       - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
       - sysctl_net_ipv4_ip_forward
       - sysctl_net_ipv6_conf_all_accept_ra
-      - sysctl_net_ipv6_conf_all_accept_redirects
       - sysctl_net_ipv6_conf_all_accept_source_route
       - sysctl_net_ipv6_conf_all_forwarding
       - sysctl_net_ipv6_conf_default_accept_ra
diff --git a/shared/references/controls/nist_800_53_cis_reference/other.yml b/shared/references/controls/nist_800_53_cis_reference/other.yml
index ee31b33988..f84d75e921 100644
--- a/shared/references/controls/nist_800_53_cis_reference/other.yml
+++ b/shared/references/controls/nist_800_53_cis_reference/other.yml
@@ -82,7 +82,6 @@ controls:
       - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
       - sysctl_net_ipv4_tcp_syncookies_value=enabled
       - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
-      - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
       - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
       - sysctl_net_ipv6_conf_all_forwarding_value=disabled
       - sysctl_net_ipv6_conf_default_accept_ra_value=disabled

---

Next Steps:

1. Review the changes above (metadata + family-specific files)
2. Identify which rules/controls were added, removed, or modified
3. Manually update controls/nist_800_53/*.yml to apply relevant changes
4. Preserve any human-added rules, guards, or notes in the real files

Tip: Family-specific files (ac.yml, au.yml, cm.yml, etc.) make it easier to review changes by control area.

[github-actions]

🔄 Workflow Re-run Update

The CIS-NIST sync workflow ran again at 2026-04-12 14:32:49 UTC.

The reference files are still up to date with the same changes as this PR.

Status: This PR is still current and ready for review.

Automated comment from workflow run 24308964464

[github-actions]

🔄 Workflow Re-run Update

The CIS-NIST sync workflow ran again at 2026-04-19 14:34:04 UTC.

The reference files are still up to date with the same changes as this PR.

Status: This PR is still current and ready for review.

Automated comment from workflow run 24631442632

[github-actions]

🔄 Workflow Re-run Update

The CIS-NIST sync workflow ran again at 2026-04-26 14:37:02 UTC.

The reference files are still up to date with the same changes as this PR.

Status: This PR is still current and ready for review.

Automated comment from workflow run 24959128324

[github-actions]

🔄 Workflow Re-run Update

The CIS-NIST sync workflow ran again at 2026-05-03 14:42:00 UTC.

The reference files are still up to date with the same changes as this PR.

Status: This PR is still current and ready for review.

Automated comment from workflow run 25282046128