I know there is a DISA STIG for whitelisting web browser, besides CM-7(5) which applies only to high impact systems, are there any other security requirements in NIST SP 800-53 that would force whitelisting for SAML RelayState Redirect?