NIST SP 800-53r4 iApp template

Problem this snippet solves:

This iApp template helps you configure BIG-IP to support security controls consonant with NIST Special Publication 800-53r4. This iApp focuses on management of the BIG-IP itself rather than control of application traffic through the BIG-IP. For more details on this iApp and how it supports NIST Special Publication 800-53r4, enable the Inline Help within the template. The Help tab in the GUI contains additional information.

The associated deployment guide is now available at

Fully supported version

v1.0.0 - Supported release

Released the fully supported version of the NIST iApp on 02-08-17. There were no additional changes to the iApp template over RC-6, however the iApp now supports BIG-IP versions 11.5.3 - 12.1.2. See for instructions on downloading, importing and using the iApp.

Release Candidate versions

v1.0.1rc3 and rc4

RC3 was released on with a single fix (corrected an issue where the iApp would incorrectly detect Appliance Mode). As a part of this fix, the iApp would not load on BIG-IP systems that had a previous version of the NIST iApp.

F5 released RC4 on DevCentral with a fix for this issue, and now the iApp loads properly on all devices. This version also contains a fix for multi-line banners and a fix for SNMP so the iApp catches any form of and maps it.

Released 1.0.1rc4 of the NIST iApp on 06-18-2018.


Released 1.0.1rc1 of the NIST iApp on 08-18-2017.

  • This version corrects an issue that would cause iApp Failure when configuring custom ports for self IP port lockdown


Released RC-6 of the NIST iApp on 12-12-2016.

  • In RC-6, all customer secrets/passwords in the iApp template are now securely stored. Previously, although secrets were stored in Secure Vault for use, some may have been stored in cleartext in the iApp reconfiguration data.* Added support for BIG-IP versions 12.1 and 12.1.1.
  • Made error messages produced by the template easier to understand.
  • If using RADIUS authentication, you are now limited a maximum of 10 servers. Previously there was no limit.
  • The source-IP option on additional syslog servers is honored in this version. Previously this field was ignored.


Released RC-5 of the NIST iApp on 12-16-2015.

  • RC-5 adds a new question to the iApp template if you specified LDAP as your authentication method, asking if the directory user objects include group-membership attributes (like memberOf).
  • Adds All as an option for remote-role partition access
  • Other minor bug fixes.


Released RC-4 of the NIST iApp on 12-02-2015.

  • RC-4 adds support for BIG-IP v11.5.3. The main difference is the "Fraud Protection Manager" role was not available in 11.5.3, and only v11.6 and later.* Added the iRule Manager role that was missing in previous versions of the iApp.
  • Clarified the answers and inline help for the MCPD audit log section.


Released RC-3 of the NIST iApp on 11-12-2015.

  • RC-3 contains mostly clarifications to the iApp presentation, including question/answer text and the inline help. Added warning messages where applicable. For the Management Access and SNMP Access IP addresses sections, removed the option to not allow any IP addresses, as this could cause issues, such as users inadvertently locking themselves out of the system.


Released RC-2 of the NIST iApp on 10-30-2015.

  • RC-2 corrects an issue where the option to revert to the pre-iApp configuration was not working properly.* Enhanced the management of self-IP access policies. Changes are now saved as the default for use with new self-IP objects as well as applied to existing self IP objects.

Code :

Published Oct 29, 2015
Version 1.0

Was this article helpful?


  • Former Member's avatar
    Former Member
    I was wondering when this was coming out. Thanks Joe!
  • Storing passphrase for LDAP search account in plain text is not ideal. Will this be addressed in this template?


  • "storing passphrase for LDAP search account in plain text is not ideal"


    You're right, and the same goes for RADIUS and TACACS+ secrets, etc. I will update f5 internal information to consider a suitable enhancement.


  • Joe / Mark,


    The newer 1.0.1RC3 in iApp bundle 512 fails to import on my 11.6.3 and 13.1.0.x appliances.


    The all spit out near identical message


    Loading configuration... /tmp/upload_template.tmpl Loading schema version: 11.5.0 Loading schema version: 11.6.3 01071485:3: CliShellScript (/Common/nist80053_1) content does not match the signature. Unexpected Error: Loading configuration process failed.


    I do have a case already open on this. I'll peek at 1.0.1RC1 see what it has over my existing 1.0.0 while waiting on support.


  • Hi Brian, thanks for letting us know. We are looking into it. Could you please send the case number via email if you still have my address? Thanks Joe


  • Just added RC4 to this page which solves the template loading issue.


  • Request:


    The "Remote Roles -- AC-3(7), CM-5" configuration section only allows a maximum of 5 group/roles to be managed from the NIST iApp.


    Can this be bumped to 10, or such. We want to keep these roles controlled from iApp versus having to add the few extra roles we need outside it from "System ›› Users : Remote Role Groups" directly.