NCA-CSCC-1-2019 · Version 1.0 · Published 2019

NCA Critical Systems Cybersecurity Controls

The hardened cybersecurity baseline for Saudi systems whose disruption would carry critical national impact. CSCC extends the NCA ECC with additional, sector-agnostic requirements for entities operating critical systems.

View all 32 controlsRun a free assessmentOfficial issuer portal
4 main domains
01
Cybersecurity Governance
5 subdomains · 7 controls
02
Cybersecurity Defense
13 subdomains · 22 controls
03
Cybersecurity Resilience
1 subdomains · 1 controls
04
Third-Party and Cloud Computing Cybersecurity
2 subdomains · 2 controls

What NCA CSCC covers

The NCA Critical Systems Cybersecurity Controls (CSCC – 1 : 2019) are issued by the National Cybersecurity Authority as a hardened extension of the ECC. CSCC applies on top of ECC wherever an entity operates a critical system — a system whose disruption, compromise or loss of confidentiality, integrity or availability would have a high impact on Saudi national interests.

CSCC is not a replacement for ECC; it is a supplement. Every CSCC sub-control sits on top of an equivalent ECC control and tightens the requirement, raises the maturity bar, or adds critical-system-specific obligations. Entities running critical systems are assessed against both frameworks in combination.

The complete control library below contains 4 domains, 21 subdomains, 32 controls and 73 sub-controls, each referenced to its canonical NCA ID and mapped to the corresponding ECC requirement.

Control library

Complete NCA CSCC controls

NCA Critical Systems Cybersecurity Controls — the hardened cybersecurity baseline for systems whose disruption would have a critical impact on national security. These controls extend the ECC with additional requirements for entities operating critical systems in any sector.

4
Domains
21
Subdomains
32
Controls
85
Assessable
1

Cybersecurity Governance

5 subdomains·7 controls
1-1

Cybersecurity Strategy

To ensure that cybersecurity plans, goals, initiatives and projects are contributing to compliance with related laws and regulations.

  1. 1-1-1Assessable

    In addition to the controls in ECC subdomain 1-1, the organization's cybersecurity strategy must prioritize the support of protecting its critical systems.

1-2

Cybersecurity Risk Management

To ensure managing cybersecurity risks in a methodological approach in order to protect the organization's information technology assets as per the organizational policies and procedures and related laws and regulations.

  1. 1-2-1-1Assessable

    Conducting a cybersecurity risk assessment on critical systems at least once annually.

  2. 1-2-1-2Assessable

    Creating a cybersecurity risk register for critical systems, and reviewing it at least once every month.

1-3

Cybersecurity in Information Technology Project Management

To ensure that cybersecurity requirements are included in project management methodology and procedures in order to protect the confidentiality, integrity and availability of information technology assets as per organization policies, and procedures, and related laws and regulations.

  1. 1-3-1-1Assessable

    Conducting a stress test to ensure the capacity of the various components.

  2. 1-3-1-2Assessable

    Ensuring the implementation of business continuity requirements.

  3. 1-3-2-1Assessable

    Conducting a security source code review before the critical system release.

  4. 1-3-2-2Assessable

    Securing the access, storage, documentation and releases of source code.

  5. 1-3-2-3Assessable

    Securing the authenticated Application Programming Interface (API).

  6. 1-3-2-4Assessable

    Secure and trusted migration of applications from testing environments to production environments, along with deletion of any data, IDs or passwords related to the testing environment before the migration.

1-4

Periodical Cybersecurity Review and Audit

To ensure that cybersecurity controls are implemented and in compliance with organizational policies and procedures, as well as related national and international laws, regulations and agreements.

  1. 1-4-1Assessable

    With reference to ECC control 1-8-1, the organization's cybersecurity function must review the implementation of CSCC at least once annually.

  2. 1-4-2Assessable

    With reference to ECC control 1-8-2, the implementation of CSCC must be reviewed by independent parties within the organization, outside the cybersecurity function at least once every three years.

1-5

Cybersecurity in Human Resources

To ensure that cybersecurity risks and requirements related to personnel (employees and contractors) are managed efficiently prior to employment, during employment and after termination/separation as per organizational policies and procedures, and related laws and regulations.

  1. 1-5-1-1Assessable

    Screening or vetting candidates for working on critical systems.

  2. 1-5-1-2Assessable

    The technical support and development positions for critical systems, must be filled with experienced Saudi professionals.

2

Cybersecurity Defense

13 subdomains·22 controls
2-1

Asset Management

To ensure that the organization has an accurate and detailed inventory of information technology assets in order to support the organization's cybersecurity and operational requirements to maintain the confidentiality, integrity and availability of information technical assets.

  1. 2-1-1-1Assessable

    Maintaining an annually-updated inventory of critical systems' assets.

  2. 2-1-1-2Assessable

    Identifying assets owners and involving them in the asset management lifecycle for critical systems.

2-2

Identity and Access Management

To ensure the secure and restricted logical access to information technology assets in order to prevent unauthorized access and allow only authorized access for users which are necessary to accomplish assigned tasks.

  1. 2-2-1-1Assessable

    Prohibiting remote access from outside the Kingdom of Saudi Arabia.

  2. 2-2-1-2Assessable

    Restricting remote access from inside the Kingdom of Saudi Arabia and verifying each access attempt by the organization's security operations center, and continuously monitoring activities related to remote access.

  3. 2-2-1-3Assessable

    Using multi-factor authentication for all users.

  4. 2-2-1-4Assessable

    Using multi-factor authentication for privileged users, and on systems utilized for managing critical systems stated in control 2-3-1-4.

  5. 2-2-1-5Assessable

    Developing and implementing a high-standard and secure password policy.

  6. 2-2-1-6Assessable

    Utilizing secure methods and algorithms for storing and processing passwords, such as: Hashing functions.

  7. 2-2-1-7Assessable

    Securely managing service accounts for applications and systems, and disabling interactive login from these accounts.

  8. 2-2-1-8Assessable

    Prohibiting direct access and interaction with databases for all users except for database administrators. Users' access and interaction with databases must be through applications only, with consideration given to applying security solutions that limit or prohibit visibility of classified data to database administrators.

  9. 2-2-2Assessable

    With reference to ECC subcontrol 2-2-3-5, user identities and access rights to critical systems must be reviewed at least once every three months.

2-3

Information System and Information Processing Facilities Protection

To ensure the protection of information systems and information processing facilities, (including workstations and infrastructures) against cyber risks.

  1. 2-3-1-1Assessable

    Whitelisting of application and software operation files that are allowed to execute on servers hosting critical systems.

  2. 2-3-1-2Assessable

    Protecting servers hosting critical systems using end-point protection solutions that are approved by the organization.

  3. 2-3-1-3Assessable

    Applying security patches and updates at least once every month for external and internet-connected critical systems and at least once every three months for internal critical systems, in line with the organization's approved change management mechanisms.

  4. 2-3-1-4Assessable

    Allocating specific workstations in an isolated network (Management Network), that is isolated from other networks or services (e.g., email service or internet), to be used by highly privileged accounts.

  5. 2-3-1-5Assessable

    Encrypting the network traffic of non-console administrative access for all technical components of critical systems using secure encryption algorithms and protocols.

  6. 2-3-1-6Assessable

    Reviewing critical systems' configurations and hardening at least once every six months.

  7. 2-3-1-7Assessable

    Reviewing and changing default configurations, and ensuring the removal of hard-coded, backdoor and/or default passwords, where applicable.

  8. 2-3-1-8Assessable

    Protecting systems' logs and critical files from unauthorized access, tampering, illegitimate modification and/or deletion.

2-4

Networks Security Management

To ensure the protection of the organization's network from cyber risks.

  1. 2-4-1-1Assessable

    Logically and/or physically segregating and isolating critical systems' networks.

  2. 2-4-1-2Assessable

    Reviewing firewall rules and access lists, at least once every six months.

  3. 2-4-1-3Assessable

    Prohibiting direct connection between local network devices and critical systems, unless those devices are scanned to ensure they have security controls that meet the acceptable security levels for critical systems.

  4. 2-4-1-4Assessable

    Prohibiting critical systems from connecting to a wireless network.

  5. 2-4-1-5Assessable

    Protecting against Advanced Persistent Threats (APT) at the network layer.

  6. 2-4-1-6Assessable

    Prohibiting connection to the internet for critical systems that provide internal services to the organization and have no strong need to be accessed from outside the organization.

  7. 2-4-1-7Assessable

    Critical systems that provide services to a limited number of organizations (not individuals), shall use networks isolated from the Internet.

  8. 2-4-1-8Assessable

    Protecting against Distributed Denial of Service (DDoS) attacks to limit risks arising from these attacks.

  9. 2-4-1-9Assessable

    Allowing only whitelisting for critical systems' firewall access lists.

2-5

Mobile Devices Security

To ensure the protection of mobile devices (including laptops, smartphones, tablets) from cyber risks and to ensure the secure handling of the organization's information (including sensitive information) while utilizing Bring Your Own Device (BYOD) policy.

  1. 2-5-1-1Assessable

    Prohibiting access to critical systems from mobile devices except for a temporary period only, after assessing the risks and obtaining the necessary approvals from the cybersecurity function in the organization.

  2. 2-5-1-2Assessable

    Implementing full disk encryption for mobile devices with access to critical systems.

2-6

Data and Information Protection

To ensure the confidentiality, integrity and availability of the organization's data and information as per organizational policies and procedures, and related laws and regulations.

  1. 2-6-1-1Assessable

    Prohibiting the use of critical systems' data in any environment other than production environment, except after applying strict controls for protecting that data, such as: data masking or data scrambling techniques.

  2. 2-6-1-2Assessable

    Classifying all data within critical systems.

  3. 2-6-1-3Assessable

    Protecting classified data of critical systems using data leakage prevention techniques.

  4. 2-6-1-4Assessable

    Identifying retention period for critical systems-associated data, in accordance with relevant legislations. Only required data must be retained in critical systems' production environments.

  5. 2-6-1-5Assessable

    Prohibiting the transfer of any critical systems' data from production environment to any other environment.

2-7

Cryptography

To ensure the proper and efficient use of cryptography to protect information assets as per organizational policies and procedures, and related laws and regulations.

  1. 2-7-1-1Assessable

    Encrypting all critical systems' data-in-transit.

  2. 2-7-1-2Assessable

    Encrypting all critical systems' data-at-rest at the level of files, database or certain columns within database.

  3. 2-7-1-3Assessable

    Using secure and up-to-date methods, algorithms, keys and devices in accordance with what NCA issues in this regard.

2-8

Backup and Recovery Management

To ensure the protection of the organization's data and information, including information systems and software configurations from cyber risks as per organizational policies and procedures, and related laws and regulations.

  1. 2-8-1-1Assessable

    Scope and coverage of online and offline backups shall cover all critical systems.

  2. 2-8-1-2Assessable

    Performing backup within planned intervals, according to the organization's risk assessment. NCA recommends performing backup for critical systems on a daily basis.

  3. 2-8-1-3Assessable

    Securing access, storage and transfer of critical systems' backups and storage media, and protecting it from destruction, unauthorized access or modification.

  4. 2-8-2Assessable

    With reference to ECC subcontrol 2-9-3-3, a periodical test must be conducted at least once every three months in order to determine the efficiency of recovering critical systems backups.

2-9

Vulnerabilities Management

To ensure timely detection and effective remediation of technical vulnerabilities to prevent or minimize the probability of exploiting these vulnerabilities to launch cyber attacks against the organization.

  1. 2-9-1-1Assessable

    Utilizing trusted methods and tools for vulnerabilities assessments.

  2. 2-9-1-2Assessable

    Assessing and remediating vulnerabilities (by installing security updates and patches) on technical components of critical systems at least once every month for external and internet-connected critical systems, and at least once every three months for internal critical systems.

  3. 2-9-1-3Assessable

    Immediately remediating for critical vulnerabilities, in line with change management processes approved by the organization.

  4. 2-9-2Assessable

    With reference to ECC subcontrol 2-10-3-1, vulnerabilities assessments must be conducted on critical systems' technical components at least once every month.

2-10

Penetration Testing

To assess and evaluate the efficiency of the organization's cybersecurity defense capabilities through simulated cyber attacks to discover unknown weaknesses within the technical infrastructure that may lead to a cyber breach.

  1. 2-10-1-1Assessable

    Scope of penetration tests must cover all of the critical systems' technical components and all its internal and external services.

  2. 2-10-1-2Assessable

    Conducting penetration tests by a qualified team.

  3. 2-10-2Assessable

    With reference to ECC subcontrol 2-11-3-2, penetration tests must be conducted on critical systems at least once every six months.

2-11

Cybersecurity Event Logs and Monitoring Management

To ensure timely collection, analysis and monitoring of cybersecurity events for early detection of potential cyber-attacks in order to prevent or minimize the negative impacts on the organization's operations.

  1. 2-11-1-1Assessable

    Activating cybersecurity event logs on all technical components of critical systems.

  2. 2-11-1-2Assessable

    Activating and monitoring of alerts and event logs related to file integrity management.

  3. 2-11-1-3Assessable

    Monitoring and analyzing user behavior.

  4. 2-11-1-4Assessable

    Monitoring critical systems security events around the clock.

  5. 2-11-1-5Assessable

    Maintaining and protecting critical systems security events logs. The log shall include all details (e.g., time, date, ID and affected system).

  6. 2-11-2Assessable

    With reference to ECC subcontrol 2-12-3-5, retention period of cybersecurity's critical systems event logs must be 18 months minimum, in accordance with relevant legislative and regulatory requirements.

2-12

Web Application Security

To ensure the protection of Internet-Facing web applications against cyber risk.

  1. 2-12-1-1Assessable

    Secure session management, including session authenticity, session lockout and session timeout.

  2. 2-12-1-2Assessable

    Applying the minimum standards of Open Web Application Security Project (OWASP) Top Ten.

  3. 2-12-2Assessable

    With reference to ECC subcontrol 2-15-3-2, multi-tier architecture principle, with minimum 3 tiers, must be used.

2-13

Application Security

To ensure the protection of the critical systems' internal applications against cyber risks.

  1. 2-13-1Assessable

    Cybersecurity requirements for critical systems' internal applications must be defined, documented, and approved.

  2. 2-13-2Assessable

    The cybersecurity requirements for critical systems' internal applications must be implemented.

  3. 2-13-3-1Assessable

    Adopting multi-tier architecture principle, provided that number of tiers is not less than three.

  4. 2-13-3-2Assessable

    Using secure protocols (e.g., HTTPS).

  5. 2-13-3-3Assessable

    Outlining the acceptable use policy for users.

  6. 2-13-3-4Assessable

    Secure session management, including session authenticity, session lockout and session timeout.

  7. 2-13-4Assessable

    The cybersecurity requirements for critical systems' internal applications must be reviewed periodically.

3

Cybersecurity Resilience

1 subdomains·1 controls
3-1

Cybersecurity Resilience Aspects of Business Continuity Management (BCM)

To ensure the inclusion of the cybersecurity resiliency requirements within the organization’s business continuity management and to remediate and minimize the impacts on systems, information processing facilities and critical e-services from disasters caused by cybersecurity incidents.

  1. 3-1-1-1Assessable

    Establishing a disaster recovery center for critical systems.

  2. 3-1-1-2Assessable

    Incorporating critical systems within disaster recovery plans.

  3. 3-1-1-3Assessable

    Conducting periodical tests to ensure the efficiency of disaster recovery plans for critical systems, at least once annually.

  4. 3-1-1-4Assessable

    NCA recommends conducting periodical live Disaster Recovery (DR) test for critical systems.

4

Third-Party and Cloud Computing Cybersecurity

2 subdomains·2 controls
4-1

Third-Party Cybersecurity

To ensure the protection of assets against cybersecurity risks related to third parties, including outsourcing and managed services as per organizational policies and procedures, and related laws and regulations.

  1. 4-1-1-1Assessable

    Screening or vetting of outsourcing and managed services companies and personnel who work on critical systems.

  2. 4-1-1-2Assessable

    Outsourcing and managed services of critical systems must rely on Saudi companies and organizations, in accordance with the relevant legislative and regulatory requirements.

4-2

Cloud Computing and Hosting Cybersecurity

To ensure the proper and efficient remediation of cyber risks and the implementation of cybersecurity requirements related to hosting and cloud computing as per organizational policies and procedures, and related laws and regulations. It is also to ensure the protection of the organization's information technology assets hosted on the cloud or processed/managed by third parties.

  1. 4-2-1-1Assessable

    Hosting of critical systems and any part of their technical components must be inside the organization or within cloud computing services provided by government organizations or Saudi companies that are in compliance with NCA's Cloud Cybersecurity Controls (CCC), taking into account the classification of the hosted data.

Reference

Frequently asked questions

What is NCA CSCC?
The NCA Critical Systems Cybersecurity Controls (CSCC – 1 : 2019) is a hardened cybersecurity framework issued by Saudi Arabia's National Cybersecurity Authority for entities operating critical systems. It extends the NCA ECC with additional, stricter requirements specifically for systems whose disruption would have a critical national impact.
What is a 'critical system' under CSCC?
A critical system is any information or operational technology system whose disruption, compromise, or loss of confidentiality, integrity, or availability would have a high impact on national interests. This includes systems supporting essential government services, critical financial infrastructure, energy and water supply, telecommunications backbones, healthcare systems, transport systems, and any environment classified by the NCA as critical for national security or public welfare.
How does CSCC relate to the NCA ECC?
CSCC is an extension framework. Every entity operating a critical system must comply with the ECC baseline first, then apply the CSCC controls on top wherever a critical system is in scope. CSCC sub-controls explicitly reference the equivalent ECC controls they tighten — for example, the CSCC strategy control sits on top of ECC subdomain 1-1, adding the requirement to prioritise protection of critical systems. The two frameworks are assessed together for critical-system operators.
Who must comply with NCA CSCC?
Any Saudi government entity or private-sector organisation that operates a critical system as defined by the NCA. This typically includes large financial institutions, telecommunications operators, energy and utility companies, healthcare systems supporting national-level operations, transport infrastructure operators, and government bodies operating national systems. The NCA determines critical-system classification through its sector engagement and assessment process.
How is CSCC assessed?
CSCC is assessed jointly with the ECC. Entities perform a structured self-assessment against each CSCC sub-control, identify the critical systems in scope, and submit evidence through the NCA's national reporting service. Because CSCC controls tighten ECC requirements, evidence often takes the form of demonstrating that ECC controls operate at a higher maturity level for critical systems than they do for general systems.
What sectors are most affected by CSCC?
Energy (electricity, oil and gas), water and wastewater, telecommunications, financial services (in addition to SAMA CSF), healthcare systems supporting national operations, transport (rail, aviation, ports), and government bodies operating national digital platforms. Any organisation in these sectors should expect to be assessed against CSCC for the systems classified as critical.
Get started

Run your NCA CSCC assessment with GRC Vantage

The complete NCA CSCC control library is pre-loaded inside GRC Vantage with evidence templates, ownership workflow and submission-ready reporting. Hosted inside Saudi Arabia for data residency.

Start free assessmentBook a demo