NIST SP 800-53 Control Mapping - Pipelock#
How Pipelock's runtime security controls map to NIST SP 800-53 Rev. 5 security and privacy controls. This mapping targets the control families most relevant to AI agent runtime security.
See also: NIST AI RMF crosswalk | OWASP MCP Top 10 | OWASP Agentic Top 10
Scope: Pipelock is an application-layer agent firewall with process containment. It covers network egress filtering, content inspection, audit logging, process isolation, and human oversight for AI agent deployments. It does not cover identity management, physical security, personnel security, or full-lifecycle system authorization. This mapping is for informational purposes and does not constitute compliance certification.
Last updated: May 2026 (reviewed against v2.5 feature set; v2.5 adds the host containment lifecycle CLI (pipelock contain install / verify / rollback / add-tool / grant-workspace / revoke-workspace / ca-refresh) implementing a 3-UID kernel-enforced separation with nftables owner-match, explicit workspace ACL lifecycle, and TOFU binary-integrity pinning, strengthening SC-7 Boundary Protection, AC-6 Least Privilege, SC-39 Process Isolation, and SI-7 Software / Firmware / Information Integrity; the canonical Audit Packet v0 schema plus first-party Go / TypeScript / Rust / standalone verifier implementations strengthening AU-2 Audit Events, AU-10 Non-Repudiation, and AU-9 Audit Information Protection with language-portable independent verification; strict-default SPIFFE actor enforcement on inbound mediation envelopes plus the pipelock envelope trust operator CLI strengthening IA-2 / IA-3 Identification and Authentication; activation-time tombstone enforcement preventing re-promotion of withdrawn contracts strengthening CM-3 Configuration Change Control and CM-5 Access Restrictions for Change; skill-poisoning instruction-recognition coverage for memory-persistence / credential-solicitation / covert-action directives strengthening SI-3 Malicious Code Protection and SI-10 Information Input Validation; rules-bundle keyring separated from the license key strengthening SC-13 Cryptographic Protection; optional OTel agent.threat.detection.* attributes on scanner-decision OTLP records strengthening AU-6 Audit Review and IR-4 Incident Handling; pipelock claude-hook fail-closed default on unsupported hook events strengthening SI-10 Information Input Validation and AC-3 Access Enforcement. Builds on the v2.4 baseline (learn-and-lock per-agent behavioral contracts with signed EvidenceReceipt v2 for CA-2/CA-7 and AU-2/AU-10, inbound mediation envelope verification with replay protection for AU-9(2)/(3) and IA-2/IA-3, SPIFFE actor format with /.well-known/http-message-signatures-directory per RFC 9421 for IA-2/SC-12, X-Pipelock-Block-Reason response header strengthening AU-2 and SC-7 visibility, Gemini provider redaction with the provider plugin shape extending SI-12 / SC-28 coverage), the v2.3.0 baseline (class-preserving request redaction for SI-12 / SC-28, generic SSE streaming with per-event body scanning), and the v2.2.0 baseline (mediation envelope for AU-3(1), expanded signed action receipt coverage across all transports for AU-2/AU-10, taint-aware policy escalation for SI-10, posture verify CLI + CI gate for CA-2/CA-7, companion-proxy deployment for SC-7).
Coverage Summary#
| Control Family | Coverage | Key Controls |
|---|---|---|
| AC — Access Control | Moderate | AC-3, AC-4, AC-6, AC-17 |
| AU — Audit and Accountability | Strong | AU-2, AU-3, AU-6, AU-12 |
| CA — Assessment, Authorization | Partial | CA-7 |
| CM — Configuration Management | Moderate | CM-2, CM-3, CM-7 |
| IR — Incident Response | Moderate | IR-4, IR-5, IR-6 |
| SC — System and Communications | Strong | SC-4, SC-7, SC-8, SC-13 |
| SI — System and Information Integrity | Strong | SI-3, SI-4, SI-7, SI-10 |
AC — Access Control#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| AC-3 | Access Enforcement | Tool policy rules enforce per-tool allow/deny decisions. Per-agent profiles with independent budgets and rate limits. Sandbox restricts filesystem and network access. | Strong |
| AC-4 | Information Flow Enforcement | Capability separation: agent (secrets, no network) communicates only through pipelock (network, no secrets). DLP scanning on all egress surfaces prevents secret leakage. Sandbox network namespaces enforce flow boundaries. | Strong |
| AC-4(4) | Content Check | 11-layer scanner pipeline inspects all content: DLP patterns, entropy analysis, prompt injection detection, SSRF prevention. Full-schema tool poisoning detection. | Strong |
| AC-6 | Least Privilege | Per-agent profiles constrain each agent to specific listeners, rate limits, and data budgets. Sandbox Landlock restricts filesystem to declared paths only. Seccomp restricts syscalls to an allowlist. | Strong |
| AC-6(9) | Log Use of Privileged Functions | Every tool call, scan decision, and policy action is logged with agent identity, tool name, and timestamp. | Strong |
| AC-17 | Remote Access | Kill switch API with bearer-token authentication and optional IP allowlist. Port isolation prevents agent self-deactivation. | Moderate |
Gap: Agent identity is config-based (HTTP header or listener binding), not certificate-based. mTLS agent authentication is on the enterprise roadmap.
AU — Audit and Accountability#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| AU-2 | Event Logging | Every request (allow, block, warn, ask, strip) generates a structured audit event with category, severity, agent identity, and scan reasoning. Every enforcement decision also emits an Ed25519-signed action receipt covering fetch, forward, CONNECT, TLS interception, WebSocket, MCP stdio, MCP HTTP, MCP HTTP reverse proxy, and A2A forward-proxy paths. | Strong |
| AU-3 | Content of Audit Records | Events include: timestamp, agent name, source IP, destination URL/domain, scan result, scanner reason, matched pattern, action taken, duration. Receipts additionally include policy_hash, action_id (UUIDv7), transport, and taint-aware fields (session_taint_level, authority_kind, session_task_id). | Strong |
| AU-3(1) | Additional Audit Information | Session profiling adds risk scores, domain burst detection, and behavioral anomaly indicators per session. Mediation envelope (Pipelock-Mediation header) carries the same action ID + policy hash on the wire for downstream correlation. | Strong |
| AU-6 | Audit Record Review, Analysis, Reporting | Prometheus metrics with counters and histograms. Grafana dashboard template. SARIF output for CI integration. Report generation with risk rating and evidence appendix. pipelock session inspect/explain surfaces recent events and trigger/evidence for active airlock escalations. | Strong |
| AU-8 | Time Stamps | All events use RFC 3339 timestamps from the system clock. | Strong |
| AU-10 | Non-Repudiation | Action receipts are Ed25519-signed with a hash-chained sequence (chain_prev_hash, chain_seq). Transcript root commits seal sections of the chain. pipelock verify-receipt and the cross-implementation conformance suite (sdk/conformance/) let third parties verify receipts without trusting pipelock. | Strong |
| AU-12 | Audit Record Generation | Three emission targets: webhook (async buffered), syslog (UDP), and OTLP (HTTP/protobuf). Prometheus /metrics endpoint. Flight recorder writes receipts as signed JSONL. | Strong |
Gap: Guaranteed log delivery (persistent queue with retry) is on the enterprise roadmap. Current emission is best-effort with overflow counters.
CA — Assessment, Authorization, and Monitoring#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| CA-7 | Continuous Monitoring | Hot-reload config (fsnotify + SIGHUP) for live policy updates. Prometheus real-time metrics with alerting integration. Adaptive enforcement escalates risk scores per session. | Moderate |
| CA-7(4) | Risk Monitoring | Adaptive enforcement tracks per-session risk with automatic escalation from warn to block based on accumulated threat signals. Domain burst detection flags unusual access patterns. | Moderate |
Gap: Pipelock monitors agent-to-internet traffic continuously but does not perform system-level vulnerability assessment or configuration compliance scanning.
CM — Configuration Management#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| CM-2 | Baseline Configuration | YAML config with version field and preset modes (strict, balanced, audit). Community rule bundles with Ed25519 signing and version tracking. | Moderate |
| CM-3 | Configuration Change Control | Hot-reload with atomic config swap. Config changes logged. Kill switch state preserved across reloads. Community rules verified against trusted keyring on load. | Moderate |
| CM-7 | Least Functionality | Strict mode restricts to allowlisted API domains only. Seccomp syscall allowlist blocks unnecessary kernel operations. Sandbox restricts filesystem to declared paths. | Strong |
| CM-7(5) | Authorized Software | Tool policy rules constrain which MCP tools can execute. Session binding pins tool inventory at session start — unauthorized tool additions are detected. | Moderate |
Gap: No centralized fleet configuration management. Policy distribution and canary rollouts are on the enterprise roadmap.
IR — Incident Response#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| IR-4 | Incident Handling | Kill switch provides emergency deny-all from 4 independent sources (config, API, SIGUSR1, sentinel file). Any source active blocks all traffic. OR-composed: deactivating one source doesn't affect others. | Strong |
| IR-4(1) | Automated Incident Handling | Adaptive enforcement automatically escalates from warn to block when per-session risk threshold is exceeded. | Moderate |
| IR-5 | Incident Monitoring | Prometheus metrics track blocked requests by category. Session profiling identifies high-risk sessions. Event emission forwards alerts to SIEM in real time. | Strong |
| IR-6 | Incident Reporting | Structured audit events with MITRE ATT&CK technique mapping (T1048 exfiltration, T1059 injection, T1195.002 supply chain). Report generation produces signed evidence packages. | Strong |
SC — System and Communications Protection#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| SC-4 | Information in Shared Resources | Per-agent profiles isolate budgets, rate limits, and session state. Sandbox provides process-level isolation via Landlock, network namespaces, and seccomp. | Strong |
| SC-7 | Boundary Protection | Capability separation enforces a network boundary between the agent (privileged, no network) and the internet (via pipelock proxy). 11-layer scanner inspects all cross-boundary traffic. | Strong |
| SC-7(5) | Deny by Default / Allow by Exception | Strict mode denies all traffic except explicitly allowlisted API domains. Fail-closed on timeout, parse error, and context cancellation. | Strong |
| SC-8 | Transmission Confidentiality and Integrity | TLS interception for CONNECT tunnels with per-host certificate generation. Ed25519 signing for reports, rules, and integrity manifests. | Moderate |
| SC-13 | Cryptographic Protection | Ed25519 for signing (keys, reports, community rules, integrity manifests). SHA-256 for tool baseline hashing and file integrity. TLS for proxy traffic. | Moderate |
| SC-28 | Protection of Information at Rest | Audit logs written with structured JSON. File permissions enforced at 0o600. Community rule bundles verified with Ed25519 signatures. | Partial |
Gap: SC-28 covers information at rest broadly. Pipelock protects its own config and log files but does not encrypt audit logs at rest. Audit encryption is a consideration for regulated deployments.
SI — System and Information Integrity#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| SI-3 | Malicious Code Protection | Tool poisoning detection scans all schema fields for injected instructions. Response scanning detects prompt injection in tool results. DLP prevents secret exfiltration. | Strong |
| SI-4 | System Monitoring | Continuous scanning of mediated HTTP, WebSocket, and MCP traffic. Prometheus metrics, structured logging, session profiling, and adaptive enforcement provide layered monitoring. | Strong |
| SI-4(4) | Inbound and Outbound Communications Traffic | Bidirectional MCP scanning: outbound (agent-to-server) for DLP leaks, inbound (server-to-agent) for injection. URL scanner covers all HTTP egress. WebSocket frame scanning covers bidirectional channels. | Strong |
| SI-7 | Software, Firmware, and Information Integrity | Binary integrity monitoring (pipelock integrity). Community rule bundle signature verification. Tool baseline drift detection (SHA-256 per session). SLSA provenance on releases. | Strong |
| SI-10 | Information Input Validation | MCP input scanning validates tool call arguments for DLP and injection patterns. Shell obfuscation detection (octal, hex, brace expansion, variable substitution, command substitution) normalizes input before matching. | Strong |
Architectural Note#
Pipelock operates at the application and network layer, providing controls that map most directly to AC-4 (information flow), AU (audit), SC-7 (boundary protection), and SI-3/SI-4 (malicious code and monitoring). Controls requiring organizational process (risk assessment, personnel, physical security) or centralized management (fleet policy, RBAC, SSO) are outside the current scope and planned for the enterprise roadmap.
For FedRAMP and government procurement, pair Pipelock's runtime enforcement with complementary controls: identity management (AC-2, IA family), vulnerability management (RA-5), and centralized policy (enterprise roadmap features).
