NIST SP 800-53 Control Mapping - Pipelock#
How Pipelock's runtime security controls map to NIST SP 800-53 Rev. 5 security and privacy controls. This mapping targets the control families most relevant to AI agent runtime security.
See also: NIST AI RMF crosswalk | OWASP MCP Top 10 | OWASP Agentic Top 10
Scope: Pipelock is an application-layer agent firewall with process containment. It covers network egress filtering, content inspection, audit logging, process isolation, and human oversight for AI agent deployments. It does not cover identity management, physical security, personnel security, or full-lifecycle system authorization. This mapping is for informational purposes and does not constitute compliance certification.
Last updated: March 2026
Coverage Summary#
| Control Family | Coverage | Key Controls |
|---|---|---|
| AC — Access Control | Moderate | AC-3, AC-4, AC-6, AC-17 |
| AU — Audit and Accountability | Strong | AU-2, AU-3, AU-6, AU-12 |
| CA — Assessment, Authorization | Partial | CA-7 |
| CM — Configuration Management | Moderate | CM-2, CM-3, CM-7 |
| IR — Incident Response | Moderate | IR-4, IR-5, IR-6 |
| SC — System and Communications | Strong | SC-4, SC-7, SC-8, SC-13 |
| SI — System and Information Integrity | Strong | SI-3, SI-4, SI-7, SI-10 |
AC — Access Control#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| AC-3 | Access Enforcement | Tool policy rules enforce per-tool allow/deny decisions. Per-agent profiles with independent budgets and rate limits. Sandbox restricts filesystem and network access. | Strong |
| AC-4 | Information Flow Enforcement | Capability separation: agent (secrets, no network) communicates only through pipelock (network, no secrets). DLP scanning on all egress surfaces prevents secret leakage. Sandbox network namespaces enforce flow boundaries. | Strong |
| AC-4(4) | Content Check | 11-layer scanner pipeline inspects all content: DLP patterns, entropy analysis, prompt injection detection, SSRF prevention. Full-schema tool poisoning detection. | Strong |
| AC-6 | Least Privilege | Per-agent profiles constrain each agent to specific listeners, rate limits, and data budgets. Sandbox Landlock restricts filesystem to declared paths only. Seccomp restricts syscalls to an allowlist. | Strong |
| AC-6(9) | Log Use of Privileged Functions | Every tool call, scan decision, and policy action is logged with agent identity, tool name, and timestamp. | Strong |
| AC-17 | Remote Access | Kill switch API with bearer-token authentication and optional IP allowlist. Port isolation prevents agent self-deactivation. | Moderate |
Gap: Agent identity is config-based (HTTP header or listener binding), not certificate-based. mTLS agent authentication is on the enterprise roadmap.
AU — Audit and Accountability#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| AU-2 | Event Logging | Every request (allow, block, warn, ask, strip) generates a structured audit event with category, severity, agent identity, and scan reasoning. | Strong |
| AU-3 | Content of Audit Records | Events include: timestamp, agent name, source IP, destination URL/domain, scan result, scanner reason, matched pattern, action taken, duration. | Strong |
| AU-3(1) | Additional Audit Information | Session profiling adds risk scores, domain burst detection, and behavioral anomaly indicators per session. | Strong |
| AU-6 | Audit Record Review, Analysis, Reporting | Prometheus metrics with counters and histograms. Grafana dashboard template. SARIF output for CI integration. Report generation with risk rating and evidence appendix. | Strong |
| AU-8 | Time Stamps | All events use RFC 3339 timestamps from the system clock. | Strong |
| AU-12 | Audit Record Generation | Three emission targets: webhook (async buffered), syslog (UDP), and OTLP (HTTP/protobuf). Prometheus /metrics endpoint. | Strong |
Gap: Guaranteed log delivery (persistent queue with retry) is on the enterprise roadmap. Current emission is best-effort with overflow counters.
CA — Assessment, Authorization, and Monitoring#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| CA-7 | Continuous Monitoring | Hot-reload config (fsnotify + SIGHUP) for live policy updates. Prometheus real-time metrics with alerting integration. Adaptive enforcement escalates risk scores per session. | Moderate |
| CA-7(4) | Risk Monitoring | Adaptive enforcement tracks per-session risk with automatic escalation from warn to block based on accumulated threat signals. Domain burst detection flags unusual access patterns. | Moderate |
Gap: Pipelock monitors agent-to-internet traffic continuously but does not perform system-level vulnerability assessment or configuration compliance scanning.
CM — Configuration Management#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| CM-2 | Baseline Configuration | YAML config with version field and preset modes (strict, balanced, audit). Community rule bundles with Ed25519 signing and version tracking. | Moderate |
| CM-3 | Configuration Change Control | Hot-reload with atomic config swap. Config changes logged. Kill switch state preserved across reloads. Community rules verified against trusted keyring on load. | Moderate |
| CM-7 | Least Functionality | Strict mode restricts to allowlisted API domains only. Seccomp syscall allowlist blocks unnecessary kernel operations. Sandbox restricts filesystem to declared paths. | Strong |
| CM-7(5) | Authorized Software | Tool policy rules constrain which MCP tools can execute. Session binding pins tool inventory at session start — unauthorized tool additions are detected. | Moderate |
Gap: No centralized fleet configuration management. Policy distribution and canary rollouts are on the enterprise roadmap.
IR — Incident Response#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| IR-4 | Incident Handling | Kill switch provides emergency deny-all from 4 independent sources (config, API, SIGUSR1, sentinel file). Any source active blocks all traffic. OR-composed: deactivating one source doesn't affect others. | Strong |
| IR-4(1) | Automated Incident Handling | Adaptive enforcement automatically escalates from warn to block when per-session risk threshold is exceeded. | Moderate |
| IR-5 | Incident Monitoring | Prometheus metrics track blocked requests by category. Session profiling identifies high-risk sessions. Event emission forwards alerts to SIEM in real time. | Strong |
| IR-6 | Incident Reporting | Structured audit events with MITRE ATT&CK technique mapping (T1048 exfiltration, T1059 injection, T1195.002 supply chain). Report generation produces signed evidence packages. | Strong |
SC — System and Communications Protection#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| SC-4 | Information in Shared Resources | Per-agent profiles isolate budgets, rate limits, and session state. Sandbox provides process-level isolation via Landlock, network namespaces, and seccomp. | Strong |
| SC-7 | Boundary Protection | Capability separation enforces a network boundary between the agent (privileged, no network) and the internet (via pipelock proxy). 11-layer scanner inspects all cross-boundary traffic. | Strong |
| SC-7(5) | Deny by Default / Allow by Exception | Strict mode denies all traffic except explicitly allowlisted API domains. Fail-closed on timeout, parse error, and context cancellation. | Strong |
| SC-8 | Transmission Confidentiality and Integrity | TLS interception for CONNECT tunnels with per-host certificate generation. Ed25519 signing for reports, rules, and integrity manifests. | Moderate |
| SC-13 | Cryptographic Protection | Ed25519 for signing (keys, reports, community rules, integrity manifests). SHA-256 for tool baseline hashing and file integrity. TLS for proxy traffic. | Moderate |
| SC-28 | Protection of Information at Rest | Audit logs written with structured JSON. File permissions enforced at 0o600. Community rule bundles verified with Ed25519 signatures. | Partial |
Gap: SC-28 covers information at rest broadly. Pipelock protects its own config and log files but does not encrypt audit logs at rest. Audit encryption is a consideration for regulated deployments.
SI — System and Information Integrity#
| Control | Name | Pipelock Feature | Coverage |
|---|---|---|---|
| SI-3 | Malicious Code Protection | Tool poisoning detection scans all schema fields for injected instructions. Response scanning detects prompt injection in tool results. DLP prevents secret exfiltration. | Strong |
| SI-4 | System Monitoring | Continuous scanning of all HTTP, WebSocket, and MCP traffic. Prometheus metrics, structured logging, session profiling, and adaptive enforcement provide layered monitoring. | Strong |
| SI-4(4) | Inbound and Outbound Communications Traffic | Bidirectional MCP scanning: outbound (agent-to-server) for DLP leaks, inbound (server-to-agent) for injection. URL scanner covers all HTTP egress. WebSocket frame scanning covers bidirectional channels. | Strong |
| SI-7 | Software, Firmware, and Information Integrity | Binary integrity monitoring (pipelock integrity). Community rule bundle signature verification. Tool baseline drift detection (SHA-256 per session). SLSA provenance on releases. | Strong |
| SI-10 | Information Input Validation | MCP input scanning validates tool call arguments for DLP and injection patterns. Shell obfuscation detection (octal, hex, brace expansion, variable substitution, command substitution) normalizes input before matching. | Strong |
Architectural Note#
Pipelock operates at the application and network layer, providing controls that map most directly to AC-4 (information flow), AU (audit), SC-7 (boundary protection), and SI-3/SI-4 (malicious code and monitoring). Controls requiring organizational process (risk assessment, personnel, physical security) or centralized management (fleet policy, RBAC, SSO) are outside the current scope and planned for the enterprise roadmap.
For FedRAMP and government procurement, pair Pipelock's runtime enforcement with complementary controls: identity management (AC-2, IA family), vulnerability management (RA-5), and centralized policy (enterprise roadmap features).
