| AC-1: Policy and Procedures |
|
| AC-10: Concurrent Session Control |
|
| AC-11: Device Lock |
|
| AC-11(1): Device Lock | Pattern-hiding Displays |
|
| AC-12: Session Termination |
|
| AC-12(1): Session Termination | User-initiated Logouts |
|
| AC-12(2): Session Termination | Termination Message |
|
| AC-12(3): Session Termination | Timeout Warning Message |
|
| AC-13: Supervision and Review — Access Control |
|
| AC-14: Permitted Actions Without Identification or Authentication |
|
| AC-14(1): Permitted Actions Without Identification or Authentication | Necessary Uses |
|
| AC-15: Automated Marking |
|
| AC-16: Security and Privacy Attributes |
|
| AC-16(1): Security and Privacy Attributes | Dynamic Attribute Association |
|
| AC-16(10): Security and Privacy Attributes | Attribute Configuration by Authorized Individuals |
|
| AC-16(2): Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals |
|
| AC-16(3): Security and Privacy Attributes | Maintenance of Attribute Associations by System |
|
| AC-16(4): Security and Privacy Attributes | Association of Attributes by Authorized Individuals |
|
| AC-16(5): Security and Privacy Attributes | Attribute Displays on Objects to Be Output |
|
| AC-16(6): Security and Privacy Attributes | Maintenance of Attribute Association |
|
| AC-16(7): Security and Privacy Attributes | Consistent Attribute Interpretation |
|
| AC-16(8): Security and Privacy Attributes | Association Techniques and Technologies |
|
| AC-16(9): Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms |
|
| AC-17: Remote Access |
|
| AC-17(1): Remote Access | Monitoring and Control |
|
| AC-17(10): Remote Access | Authenticate Remote Commands |
|
| AC-17(2): Remote Access | Protection of Confidentiality and Integrity Using Encryption |
|
| AC-17(3): Remote Access | Managed Access Control Points |
|
| AC-17(4): Remote Access | Privileged Commands and Access |
|
| AC-17(5): Remote Access | Monitoring for Unauthorized Connections |
|
| AC-17(6): Remote Access | Protection of Mechanism Information |
|
| AC-17(7): Remote Access | Additional Protection for Security Function Access |
|
| AC-17(8): Remote Access | Disable Nonsecure Network Protocols |
|
| AC-17(9): Remote Access | Disconnect or Disable Access |
|
| AC-18: Wireless Access |
|
| AC-18(1): Wireless Access | Authentication and Encryption |
|
| AC-18(2): Wireless Access | Monitoring Unauthorized Connections |
|
| AC-18(3): Wireless Access | Disable Wireless Networking |
|
| AC-18(4): Wireless Access | Restrict Configurations by Users |
|
| AC-18(5): Wireless Access | Antennas and Transmission Power Levels |
|
| AC-19: Access Control for Mobile Devices |
|
| AC-19(1): Access Control for Mobile Devices | Use of Writable and Portable Storage Devices |
|
| AC-19(2): Access Control for Mobile Devices | Use of Personally Owned Portable Storage Devices |
|
| AC-19(3): Access Control for Mobile Devices | Use of Portable Storage Devices with No Identifiable Owner |
|
| AC-19(4): Access Control for Mobile Devices | Restrictions for Classified Information |
|
| AC-19(5): Access Control for Mobile Devices | Full Device or Container-based Encryption |
|
| AC-2: Account Management |
|
| AC-2(1): Account Management | Automated System Account Management |
|
| AC-2(10): Account Management | Shared and Group Account Credential Change |
|
| AC-2(11): Account Management | Usage Conditions |
|
| AC-2(12): Account Management | Account Monitoring for Atypical Usage |
|
| AC-2(13): Account Management | Disable Accounts for High-risk Individuals |
|
| AC-2(2): Account Management | Automated Temporary and Emergency Account Management |
|
| AC-2(3): Account Management | Disable Accounts |
|
| AC-2(4): Account Management | Automated Audit Actions |
|
| AC-2(5): Account Management | Inactivity Logout |
|
| AC-2(6): Account Management | Dynamic Privilege Management |
|
| AC-2(7): Account Management | Privileged User Accounts |
|
| AC-2(8): Account Management | Dynamic Account Management |
|
| AC-2(9): Account Management | Restrictions on Use of Shared and Group Accounts |
|
| AC-20: Use of External Systems |
|
| AC-20(1): Use of External Systems | Limits on Authorized Use |
|
| AC-20(2): Use of External Systems | Portable Storage Devices — Restricted Use |
|
| AC-20(3): Use of External Systems | Non-organizationally Owned Systems — Restricted Use |
|
| AC-20(4): Use of External Systems | Network Accessible Storage Devices — Prohibited Use |
|
| AC-20(5): Use of External Systems | Portable Storage Devices — Prohibited Use |
|
| AC-21: Information Sharing |
|
| AC-21(1): Information Sharing | Automated Decision Support |
|
| AC-21(2): Information Sharing | Information Search and Retrieval |
|
| AC-22: Publicly Accessible Content |
|
| AC-23: Data Mining Protection |
|
| AC-24: Access Control Decisions |
|
| AC-24(1): Access Control Decisions | Transmit Access Authorization Information |
|
| AC-24(2): Access Control Decisions | No User or Process Identity |
|
| AC-25: Reference Monitor |
|
| AC-3: Access Enforcement |
|
| AC-3(1): Access Enforcement | Restricted Access to Privileged Functions |
|
| AC-3(10): Access Enforcement | Audited Override of Access Control Mechanisms |
|
| AC-3(11): Access Enforcement | Restrict Access to Specific Information Types |
|
| AC-3(12): Access Enforcement | Assert and Enforce Application Access |
|
| AC-3(13): Access Enforcement | Attribute-based Access Control |
|
| AC-3(14): Access Enforcement | Individual Access |
|
| AC-3(15): Access Enforcement | Discretionary and Mandatory Access Control |
|
| AC-3(2): Access Enforcement | Dual Authorization |
|
| AC-3(3): Access Enforcement | Mandatory Access Control |
|
| AC-3(4): Access Enforcement | Discretionary Access Control |
|
| AC-3(5): Access Enforcement | Security-relevant Information |
|
| AC-3(6): Access Enforcement | Protection of User and System Information |
|
| AC-3(7): Access Enforcement | Role-based Access Control |
|
| AC-3(8): Access Enforcement | Revocation of Access Authorizations |
|
| AC-3(9): Access Enforcement | Controlled Release |
|
| AC-4: Information Flow Enforcement |
|
| AC-4(1): Information Flow Enforcement | Object Security and Privacy Attributes |
|
| AC-4(10): Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters |
|
| AC-4(11): Information Flow Enforcement | Configuration of Security or Privacy Policy Filters |
|
| AC-4(12): Information Flow Enforcement | Data Type Identifiers |
|
| AC-4(13): Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents |
|
| AC-4(14): Information Flow Enforcement | Security or Privacy Policy Filter Constraints |
|
| AC-4(15): Information Flow Enforcement | Detection of Unsanctioned Information |
|
| AC-4(16): Information Flow Enforcement | Information Transfers on Interconnected Systems |
|
| AC-4(17): Information Flow Enforcement | Domain Authentication |
|
| AC-4(18): Information Flow Enforcement | Security Attribute Binding |
|
| AC-4(19): Information Flow Enforcement | Validation of Metadata |
|
| AC-4(2): Information Flow Enforcement | Processing Domains |
|
| AC-4(20): Information Flow Enforcement | Approved Solutions |
|
| AC-4(21): Information Flow Enforcement | Physical or Logical Separation of Information Flows |
|
| AC-4(22): Information Flow Enforcement | Access Only |
|
| AC-4(23): Information Flow Enforcement | Modify Non-releasable Information |
|
| AC-4(24): Information Flow Enforcement | Internal Normalized Format |
|
| AC-4(25): Information Flow Enforcement | Data Sanitization |
|
| AC-4(26): Information Flow Enforcement | Audit Filtering Actions |
|
| AC-4(27): Information Flow Enforcement | Redundant/independent Filtering Mechanisms |
|
| AC-4(28): Information Flow Enforcement | Linear Filter Pipelines |
|
| AC-4(29): Information Flow Enforcement | Filter Orchestration Engines |
|
| AC-4(3): Information Flow Enforcement | Dynamic Information Flow Control |
|
| AC-4(30): Information Flow Enforcement | Filter Mechanisms Using Multiple Processes |
|
| AC-4(31): Information Flow Enforcement | Failed Content Transfer Prevention |
|
| AC-4(32): Information Flow Enforcement | Process Requirements for Information Transfer |
|
| AC-4(4): Information Flow Enforcement | Flow Control of Encrypted Information |
|
| AC-4(5): Information Flow Enforcement | Embedded Data Types |
|
| AC-4(6): Information Flow Enforcement | Metadata |
|
| AC-4(7): Information Flow Enforcement | One-way Flow Mechanisms |
|
| AC-4(8): Information Flow Enforcement | Security and Privacy Policy Filters |
|
| AC-4(9): Information Flow Enforcement | Human Reviews |
|
| AC-5: Separation of Duties |
|
| AC-6: Least Privilege |
|
| AC-6(1): Least Privilege | Authorize Access to Security Functions |
|
| AC-6(10): Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions |
|
| AC-6(2): Least Privilege | Non-privileged Access for Nonsecurity Functions |
|
| AC-6(3): Least Privilege | Network Access to Privileged Commands |
|
| AC-6(4): Least Privilege | Separate Processing Domains |
|
| AC-6(5): Least Privilege | Privileged Accounts |
|
| AC-6(6): Least Privilege | Privileged Access by Non-organizational Users |
|
| AC-6(7): Least Privilege | Review of User Privileges |
|
| AC-6(8): Least Privilege | Privilege Levels for Code Execution |
|
| AC-6(9): Least Privilege | Log Use of Privileged Functions |
|
| AC-7: Unsuccessful Logon Attempts |
|
| AC-7(1): Unsuccessful Logon Attempts | Automatic Account Lock |
|
| AC-7(2): Unsuccessful Logon Attempts | Purge or Wipe Mobile Device |
|
| AC-7(3): Unsuccessful Logon Attempts | Biometric Attempt Limiting |
|
| AC-7(4): Unsuccessful Logon Attempts | Use of Alternate Authentication Factor |
|
| AC-8: System Use Notification |
|
| AC-9: Previous Logon Notification |
|
| AC-9(1): Previous Logon Notification | Unsuccessful Logons |
|
| AC-9(2): Previous Logon Notification | Successful and Unsuccessful Logons |
|
| AC-9(3): Previous Logon Notification | Notification of Account Changes |
|
| AC-9(4): Previous Logon Notification | Additional Logon Information |
|
| AT-1: Policy and Procedures |
|
| AT-2: Literacy Training and Awareness |
|
| AT-2(1): Literacy Training and Awareness | Practical Exercises |
|
| AT-2(2): Literacy Training and Awareness | Insider Threat |
|
| AT-2(3): Literacy Training and Awareness | Social Engineering and Mining |
|
| AT-2(4): Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior |
|
| AT-2(5): Literacy Training and Awareness | Advanced Persistent Threat |
|
| AT-2(6): Literacy Training and Awareness | Cyber Threat Environment |
|
| AT-3: Role-based Training |
|
| AT-3(1): Role-based Training | Environmental Controls |
|
| AT-3(2): Role-based Training | Physical Security Controls |
|
| AT-3(3): Role-based Training | Practical Exercises |
|
| AT-3(4): Role-based Training | Suspicious Communications and Anomalous System Behavior |
|
| AT-3(5): Role-based Training | Processing Personally Identifiable Information |
|
| AT-4: Training Records |
|
| AT-5: Contacts with Security Groups and Associations |
|
| AT-6: Training Feedback |
|
| AU-1: Policy and Procedures |
|
| AU-10: Non-repudiation |
|
| AU-10(1): Non-repudiation | Association of Identities |
|
| AU-10(2): Non-repudiation | Validate Binding of Information Producer Identity |
|
| AU-10(3): Non-repudiation | Chain of Custody |
|
| AU-10(4): Non-repudiation | Validate Binding of Information Reviewer Identity |
|
| AU-10(5): Non-repudiation | Digital Signatures |
|
| AU-11: Audit Record Retention |
|
| AU-11(1): Audit Record Retention | Long-term Retrieval Capability |
|
| AU-12: Audit Record Generation |
|
| AU-12(1): Audit Record Generation | System-wide and Time-correlated Audit Trail |
|
| AU-12(2): Audit Record Generation | Standardized Formats |
|
| AU-12(3): Audit Record Generation | Changes by Authorized Individuals |
|
| AU-12(4): Audit Record Generation | Query Parameter Audits of Personally Identifiable Information |
|
| AU-13: Monitoring for Information Disclosure |
|
| AU-13(1): Monitoring for Information Disclosure | Use of Automated Tools |
|
| AU-13(2): Monitoring for Information Disclosure | Review of Monitored Sites |
|
| AU-13(3): Monitoring for Information Disclosure | Unauthorized Replication of Information |
|
| AU-14: Session Audit |
|
| AU-14(1): Session Audit | System Start-up |
|
| AU-14(2): Session Audit | Capture and Record Content |
|
| AU-14(3): Session Audit | Remote Viewing and Listening |
|
| AU-15: Alternate Audit Logging Capability |
|
| AU-16: Cross-organizational Audit Logging |
|
| AU-16(1): Cross-organizational Audit Logging | Identity Preservation |
|
| AU-16(2): Cross-organizational Audit Logging | Sharing of Audit Information |
|
| AU-16(3): Cross-organizational Audit Logging | Disassociability |
|
| AU-2: Event Logging |
|
| AU-2(1): Event Logging | Compilation of Audit Records from Multiple Sources |
|
| AU-2(2): Event Logging | Selection of Audit Events by Component |
|
| AU-2(3): Event Logging | Reviews and Updates |
|
| AU-2(4): Event Logging | Privileged Functions |
|
| AU-3: Content of Audit Records |
|
| AU-3(1): Content of Audit Records | Additional Audit Information |
|
| AU-3(2): Content of Audit Records | Centralized Management of Planned Audit Record Content |
|
| AU-3(3): Content of Audit Records | Limit Personally Identifiable Information Elements |
|
| AU-4: Audit Log Storage Capacity |
|
| AU-4(1): Audit Log Storage Capacity | Transfer to Alternate Storage |
|
| AU-5: Response to Audit Logging Process Failures |
|
| AU-5(1): Response to Audit Logging Process Failures | Storage Capacity Warning |
|
| AU-5(2): Response to Audit Logging Process Failures | Real-time Alerts |
|
| AU-5(3): Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds |
|
| AU-5(4): Response to Audit Logging Process Failures | Shutdown on Failure |
|
| AU-5(5): Response to Audit Logging Process Failures | Alternate Audit Logging Capability |
|
| AU-6: Audit Record Review, Analysis, and Reporting |
|
| AU-6(1): Audit Record Review, Analysis, and Reporting | Automated Process Integration |
|
| AU-6(10): Audit Record Review, Analysis, and Reporting | Audit Level Adjustment |
|
| AU-6(2): Audit Record Review, Analysis, and Reporting | Automated Security Alerts |
|
| AU-6(3): Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories |
|
| AU-6(4): Audit Record Review, Analysis, and Reporting | Central Review and Analysis |
|
| AU-6(5): Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records |
|
| AU-6(6): Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring |
|
| AU-6(7): Audit Record Review, Analysis, and Reporting | Permitted Actions |
|
| AU-6(8): Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands |
|
| AU-6(9): Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources |
|
| AU-7: Audit Record Reduction and Report Generation |
|
| AU-7(1): Audit Record Reduction and Report Generation | Automatic Processing |
|
| AU-7(2): Audit Record Reduction and Report Generation | Automatic Sort and Search |
|
| AU-8: Time Stamps |
|
| AU-8(1): Time Stamps | Synchronization with Authoritative Time Source |
|
| AU-8(2): Time Stamps | Secondary Authoritative Time Source |
|
| AU-9: Protection of Audit Information |
|
| AU-9(1): Protection of Audit Information | Hardware Write-once Media |
|
| AU-9(2): Protection of Audit Information | Store on Separate Physical Systems or Components |
|
| AU-9(3): Protection of Audit Information | Cryptographic Protection |
|
| AU-9(4): Protection of Audit Information | Access by Subset of Privileged Users |
|
| AU-9(5): Protection of Audit Information | Dual Authorization |
|
| AU-9(6): Protection of Audit Information | Read-only Access |
|
| AU-9(7): Protection of Audit Information | Store on Component with Different Operating System |
|
| CA-1: Policy and Procedures |
|
| CA-2: Control Assessments |
|
| CA-2(1): Control Assessments | Independent Assessors |
|
| CA-2(2): Control Assessments | Specialized Assessments |
|
| CA-2(3): Control Assessments | Leveraging Results from External Organizations |
|
| CA-3: Information Exchange |
|
| CA-3(1): Information Exchange | Unclassified National Security System Connections |
|
| CA-3(2): Information Exchange | Classified National Security System Connections |
|
| CA-3(3): Information Exchange | Unclassified Non-national Security System Connections |
|
| CA-3(4): Information Exchange | Connections to Public Networks |
|
| CA-3(5): Information Exchange | Restrictions on External System Connections |
|
| CA-3(6): Information Exchange | Transfer Authorizations |
|
| CA-3(7): Information Exchange | Transitive Information Exchanges |
|
| CA-4: Security Certification |
|
| CA-5: Plan of Action and Milestones |
|
| CA-5(1): Plan of Action and Milestones | Automation Support for Accuracy and Currency |
|
| CA-6: Authorization |
|
| CA-6(1): Authorization | Joint Authorization — Intra-organization |
|
| CA-6(2): Authorization | Joint Authorization — Inter-organization |
|
| CA-7: Continuous Monitoring |
|
| CA-7(1): Continuous Monitoring | Independent Assessment |
|
| CA-7(2): Continuous Monitoring | Types of Assessments |
|
| CA-7(3): Continuous Monitoring | Trend Analyses |
|
| CA-7(4): Continuous Monitoring | Risk Monitoring |
|
| CA-7(5): Continuous Monitoring | Consistency Analysis |
|
| CA-7(6): Continuous Monitoring | Automation Support for Monitoring |
|
| CA-8: Penetration Testing |
|
| CA-8(1): Penetration Testing | Independent Penetration Testing Agent or Team |
|
| CA-8(2): Penetration Testing | Red Team Exercises |
|
| CA-8(3): Penetration Testing | Facility Penetration Testing |
|
| CA-9: Internal System Connections |
|
| CA-9(1): Internal System Connections | Compliance Checks |
|
| CM-1: Policy and Procedures |
|
| CM-10: Software Usage Restrictions |
|
| CM-10(1): Software Usage Restrictions | Open-source Software |
|
| CM-11: User-installed Software |
|
| CM-11(1): User-installed Software | Alerts for Unauthorized Installations |
|
| CM-11(2): User-installed Software | Software Installation with Privileged Status |
|
| CM-11(3): User-installed Software | Automated Enforcement and Monitoring |
|
| CM-12: Information Location |
|
| CM-12(1): Information Location | Automated Tools to Support Information Location |
|
| CM-13: Data Action Mapping |
|
| CM-14: Signed Components |
|
| CM-2: Baseline Configuration |
|
| CM-2(1): Baseline Configuration | Reviews and Updates |
|
| CM-2(2): Baseline Configuration | Automation Support for Accuracy and Currency |
|
| CM-2(3): Baseline Configuration | Retention of Previous Configurations |
|
| CM-2(4): Baseline Configuration | Unauthorized Software |
|
| CM-2(5): Baseline Configuration | Authorized Software |
|
| CM-2(6): Baseline Configuration | Development and Test Environments |
|
| CM-2(7): Baseline Configuration | Configure Systems and Components for High-risk Areas |
|
| CM-3: Configuration Change Control |
|
| CM-3(1): Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes |
|
| CM-3(2): Configuration Change Control | Testing, Validation, and Documentation of Changes |
|
| CM-3(3): Configuration Change Control | Automated Change Implementation |
|
| CM-3(4): Configuration Change Control | Security and Privacy Representatives |
|
| CM-3(5): Configuration Change Control | Automated Security Response |
|
| CM-3(6): Configuration Change Control | Cryptography Management |
|
| CM-3(7): Configuration Change Control | Review System Changes |
|
| CM-3(8): Configuration Change Control | Prevent or Restrict Configuration Changes |
|
| CM-4: Impact Analyses |
|
| CM-4(1): Impact Analyses | Separate Test Environments |
|
| CM-4(2): Impact Analyses | Verification of Controls |
|
| CM-5: Access Restrictions for Change |
|
| CM-5(1): Access Restrictions for Change | Automated Access Enforcement and Audit Records |
|
| CM-5(2): Access Restrictions for Change | Review System Changes |
|
| CM-5(3): Access Restrictions for Change | Signed Components |
|
| CM-5(4): Access Restrictions for Change | Dual Authorization |
|
| CM-5(5): Access Restrictions for Change | Privilege Limitation for Production and Operation |
|
| CM-5(6): Access Restrictions for Change | Limit Library Privileges |
|
| CM-5(7): Access Restrictions for Change | Automatic Implementation of Security Safeguards |
|
| CM-6: Configuration Settings |
|
| CM-6(1): Configuration Settings | Automated Management, Application, and Verification |
|
| CM-6(2): Configuration Settings | Respond to Unauthorized Changes |
|
| CM-6(3): Configuration Settings | Unauthorized Change Detection |
|
| CM-6(4): Configuration Settings | Conformance Demonstration |
|
| CM-7: Least Functionality |
|
| CM-7(1): Least Functionality | Periodic Review |
|
| CM-7(2): Least Functionality | Prevent Program Execution |
|
| CM-7(3): Least Functionality | Registration Compliance |
|
| CM-7(4): Least Functionality | Unauthorized Software — Deny-by-exception |
|
| CM-7(5): Least Functionality | Authorized Software — Allow-by-exception |
|
| CM-7(6): Least Functionality | Confined Environments with Limited Privileges |
|
| CM-7(7): Least Functionality | Code Execution in Protected Environments |
|
| CM-7(8): Least Functionality | Binary or Machine Executable Code |
|
| CM-7(9): Least Functionality | Prohibiting The Use of Unauthorized Hardware |
|
| CM-8: System Component Inventory |
|
| CM-8(1): System Component Inventory | Updates During Installation and Removal |
|
| CM-8(2): System Component Inventory | Automated Maintenance |
|
| CM-8(3): System Component Inventory | Automated Unauthorized Component Detection |
|
| CM-8(4): System Component Inventory | Accountability Information |
|
| CM-8(5): System Component Inventory | No Duplicate Accounting of Components |
|
| CM-8(6): System Component Inventory | Assessed Configurations and Approved Deviations |
|
| CM-8(7): System Component Inventory | Centralized Repository |
|
| CM-8(8): System Component Inventory | Automated Location Tracking |
|
| CM-8(9): System Component Inventory | Assignment of Components to Systems |
|
| CM-9: Configuration Management Plan |
|
| CM-9(1): Configuration Management Plan | Assignment of Responsibility |
|
| CP-1: Policy and Procedures |
|
| CP-10: System Recovery and Reconstitution |
|
| CP-10(1): System Recovery and Reconstitution | Contingency Plan Testing |
|
| CP-10(2): System Recovery and Reconstitution | Transaction Recovery |
|
| CP-10(3): System Recovery and Reconstitution | Compensating Security Controls |
|
| CP-10(4): System Recovery and Reconstitution | Restore Within Time Period |
|
| CP-10(5): System Recovery and Reconstitution | Failover Capability |
|
| CP-10(6): System Recovery and Reconstitution | Component Protection |
|
| CP-11: Alternate Communications Protocols |
|
| CP-12: Safe Mode |
|
| CP-13: Alternative Security Mechanisms |
|
| CP-2: Contingency Plan |
|
| CP-2(1): Contingency Plan | Coordinate with Related Plans |
|
| CP-2(2): Contingency Plan | Capacity Planning |
|
| CP-2(3): Contingency Plan | Resume Mission and Business Functions |
|
| CP-2(4): Contingency Plan | Resume All Mission and Business Functions |
|
| CP-2(5): Contingency Plan | Continue Mission and Business Functions |
|
| CP-2(6): Contingency Plan | Alternate Processing and Storage Sites |
|
| CP-2(7): Contingency Plan | Coordinate with External Service Providers |
|
| CP-2(8): Contingency Plan | Identify Critical Assets |
|
| CP-3: Contingency Training |
|
| CP-3(1): Contingency Training | Simulated Events |
|
| CP-3(2): Contingency Training | Mechanisms Used in Training Environments |
|
| CP-4: Contingency Plan Testing |
|
| CP-4(1): Contingency Plan Testing | Coordinate with Related Plans |
|
| CP-4(2): Contingency Plan Testing | Alternate Processing Site |
|
| CP-4(3): Contingency Plan Testing | Automated Testing |
|
| CP-4(4): Contingency Plan Testing | Full Recovery and Reconstitution |
|
| CP-4(5): Contingency Plan Testing | Self-challenge |
|
| CP-5: Contingency Plan Update |
|
| CP-6: Alternate Storage Site |
|
| CP-6(1): Alternate Storage Site | Separation from Primary Site |
|
| CP-6(2): Alternate Storage Site | Recovery Time and Recovery Point Objectives |
|
| CP-6(3): Alternate Storage Site | Accessibility |
|
| CP-7: Alternate Processing Site |
|
| CP-7(1): Alternate Processing Site | Separation from Primary Site |
|
| CP-7(2): Alternate Processing Site | Accessibility |
|
| CP-7(3): Alternate Processing Site | Priority of Service |
|
| CP-7(4): Alternate Processing Site | Preparation for Use |
|
| CP-7(5): Alternate Processing Site | Equivalent Information Security Safeguards |
|
| CP-7(6): Alternate Processing Site | Inability to Return to Primary Site |
|
| CP-8: Telecommunications Services |
|
| CP-8(1): Telecommunications Services | Priority of Service Provisions |
|
| CP-8(2): Telecommunications Services | Single Points of Failure |
|
| CP-8(3): Telecommunications Services | Separation of Primary and Alternate Providers |
|
| CP-8(4): Telecommunications Services | Provider Contingency Plan |
|
| CP-8(5): Telecommunications Services | Alternate Telecommunication Service Testing |
|
| CP-9: System Backup |
|
| CP-9(1): System Backup | Testing for Reliability and Integrity |
|
| CP-9(2): System Backup | Test Restoration Using Sampling |
|
| CP-9(3): System Backup | Separate Storage for Critical Information |
|
| CP-9(4): System Backup | Protection from Unauthorized Modification |
|
| CP-9(5): System Backup | Transfer to Alternate Storage Site |
|
| CP-9(6): System Backup | Redundant Secondary System |
|
| CP-9(7): System Backup | Dual Authorization for Deletion or Destruction |
|
| CP-9(8): System Backup | Cryptographic Protection |
|
| IA-1: Policy and Procedures |
|
| IA-10: Adaptive Authentication |
|
| IA-11: Re-authentication |
|
| IA-12: Identity Proofing |
|
| IA-12(1): Identity Proofing | Supervisor Authorization |
|
| IA-12(2): Identity Proofing | Identity Evidence |
|
| IA-12(3): Identity Proofing | Identity Evidence Validation and Verification |
|
| IA-12(4): Identity Proofing | In-person Validation and Verification |
|
| IA-12(5): Identity Proofing | Address Confirmation |
|
| IA-12(6): Identity Proofing | Accept Externally-proofed Identities |
|
| IA-2: Identification and Authentication (organizational Users) |
|
| IA-2(1): Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts |
|
| IA-2(10): Identification and Authentication (organizational Users) | Single Sign-on |
|
| IA-2(11): Identification and Authentication (organizational Users) | Remote Access — Separate Device |
|
| IA-2(12): Identification and Authentication (organizational Users) | Acceptance of PIV Credentials |
|
| IA-2(13): Identification and Authentication (organizational Users) | Out-of-band Authentication |
|
| IA-2(2): Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts |
|
| IA-2(3): Identification and Authentication (organizational Users) | Local Access to Privileged Accounts |
|
| IA-2(4): Identification and Authentication (organizational Users) | Local Access to Non-privileged Accounts |
|
| IA-2(5): Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication |
|
| IA-2(6): Identification and Authentication (organizational Users) | Access to Accounts —separate Device |
|
| IA-2(7): Identification and Authentication (organizational Users) | Network Access to Non-privileged Accounts — Separate Device |
|
| IA-2(8): Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant |
|
| IA-2(9): Identification and Authentication (organizational Users) | Network Access to Non-privileged Accounts — Replay Resistant |
|
| IA-3: Device Identification and Authentication |
|
| IA-3(1): Device Identification and Authentication | Cryptographic Bidirectional Authentication |
|
| IA-3(2): Device Identification and Authentication | Cryptographic Bidirectional Network Authentication |
|
| IA-3(3): Device Identification and Authentication | Dynamic Address Allocation |
|
| IA-3(4): Device Identification and Authentication | Device Attestation |
|
| IA-4: Identifier Management |
|
| IA-4(1): Identifier Management | Prohibit Account Identifiers as Public Identifiers |
|
| IA-4(2): Identifier Management | Supervisor Authorization |
|
| IA-4(3): Identifier Management | Multiple Forms of Certification |
|
| IA-4(4): Identifier Management | Identify User Status |
|
| IA-4(5): Identifier Management | Dynamic Management |
|
| IA-4(6): Identifier Management | Cross-organization Management |
|
| IA-4(7): Identifier Management | In-person Registration |
|
| IA-4(8): Identifier Management | Pairwise Pseudonymous Identifiers |
|
| IA-4(9): Identifier Management | Attribute Maintenance and Protection |
|
| IA-5: Authenticator Management |
|
| IA-5(1): Authenticator Management | Password-based Authentication |
|
| IA-5(10): Authenticator Management | Dynamic Credential Binding |
|
| IA-5(11): Authenticator Management | Hardware Token-based Authentication |
|
| IA-5(12): Authenticator Management | Biometric Authentication Performance |
|
| IA-5(13): Authenticator Management | Expiration of Cached Authenticators |
|
| IA-5(14): Authenticator Management | Managing Content of PKI Trust Stores |
|
| IA-5(15): Authenticator Management | GSA-approved Products and Services |
|
| IA-5(16): Authenticator Management | In-person or Trusted External Party Authenticator Issuance |
|
| IA-5(17): Authenticator Management | Presentation Attack Detection for Biometric Authenticators |
|
| IA-5(18): Authenticator Management | Password Managers |
|
| IA-5(2): Authenticator Management | Public Key-based Authentication |
|
| IA-5(3): Authenticator Management | In-person or Trusted External Party Registration |
|
| IA-5(4): Authenticator Management | Automated Support for Password Strength Determination |
|
| IA-5(5): Authenticator Management | Change Authenticators Prior to Delivery |
|
| IA-5(6): Authenticator Management | Protection of Authenticators |
|
| IA-5(7): Authenticator Management | No Embedded Unencrypted Static Authenticators |
|
| IA-5(8): Authenticator Management | Multiple System Accounts |
|
| IA-5(9): Authenticator Management | Federated Credential Management |
|
| IA-6: Authentication Feedback |
|
| IA-7: Cryptographic Module Authentication |
|
| IA-8: Identification and Authentication (non-organizational Users) |
|
| IA-8(1): Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies |
|
| IA-8(2): Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators |
|
| IA-8(3): Identification and Authentication (non-organizational Users) | Use of FICAM-approved Products |
|
| IA-8(4): Identification and Authentication (non-organizational Users) | Use of Defined Profiles |
|
| IA-8(5): Identification and Authentication (non-organizational Users) | Acceptance of PVI-I Credentials |
|
| IA-8(6): Identification and Authentication (non-organizational Users) | Disassociability |
|
| IA-9: Service Identification and Authentication |
|
| IA-9(1): Service Identification and Authentication | Information Exchange |
|
| IA-9(2): Service Identification and Authentication | Transmission of Decisions |
|
| IR-1: Policy and Procedures |
|
| IR-10: Integrated Information Security Analysis Team |
|
| IR-2: Incident Response Training |
|
| IR-2(1): Incident Response Training | Simulated Events |
|
| IR-2(2): Incident Response Training | Automated Training Environments |
|
| IR-2(3): Incident Response Training | Breach |
|
| IR-3: Incident Response Testing |
|
| IR-3(1): Incident Response Testing | Automated Testing |
|
| IR-3(2): Incident Response Testing | Coordination with Related Plans |
|
| IR-3(3): Incident Response Testing | Continuous Improvement |
|
| IR-4: Incident Handling |
|
| IR-4(1): Incident Handling | Automated Incident Handling Processes |
|
| IR-4(10): Incident Handling | Supply Chain Coordination |
|
| IR-4(11): Incident Handling | Integrated Incident Response Team |
|
| IR-4(12): Incident Handling | Malicious Code and Forensic Analysis |
|
| IR-4(13): Incident Handling | Behavior Analysis |
|
| IR-4(14): Incident Handling | Security Operations Center |
|
| IR-4(15): Incident Handling | Public Relations and Reputation Repair |
|
| IR-4(2): Incident Handling | Dynamic Reconfiguration |
|
| IR-4(3): Incident Handling | Continuity of Operations |
|
| IR-4(4): Incident Handling | Information Correlation |
|
| IR-4(5): Incident Handling | Automatic Disabling of System |
|
| IR-4(6): Incident Handling | Insider Threats |
|
| IR-4(7): Incident Handling | Insider Threats — Intra-organization Coordination |
|
| IR-4(8): Incident Handling | Correlation with External Organizations |
|
| IR-4(9): Incident Handling | Dynamic Response Capability |
|
| IR-5: Incident Monitoring |
|
| IR-5(1): Incident Monitoring | Automated Tracking, Data Collection, and Analysis |
|
| IR-6: Incident Reporting |
|
| IR-6(1): Incident Reporting | Automated Reporting |
|
| IR-6(2): Incident Reporting | Vulnerabilities Related to Incidents |
|
| IR-6(3): Incident Reporting | Supply Chain Coordination |
|
| IR-7: Incident Response Assistance |
|
| IR-7(1): Incident Response Assistance | Automation Support for Availability of Information and Support |
|
| IR-7(2): Incident Response Assistance | Coordination with External Providers |
|
| IR-8: Incident Response Plan |
|
| IR-8(1): Incident Response Plan | Breaches |
|
| IR-9: Information Spillage Response |
|
| IR-9(1): Information Spillage Response | Responsible Personnel |
|
| IR-9(2): Information Spillage Response | Training |
|
| IR-9(3): Information Spillage Response | Post-spill Operations |
|
| IR-9(4): Information Spillage Response | Exposure to Unauthorized Personnel |
|
| MA-1: Policy and Procedures |
|
| MA-2: Controlled Maintenance |
|
| MA-2(1): Controlled Maintenance | Record Content |
|
| MA-2(2): Controlled Maintenance | Automated Maintenance Activities |
|
| MA-3: Maintenance Tools |
|
| MA-3(1): Maintenance Tools | Inspect Tools |
|
| MA-3(2): Maintenance Tools | Inspect Media |
|
| MA-3(3): Maintenance Tools | Prevent Unauthorized Removal |
|
| MA-3(4): Maintenance Tools | Restricted Tool Use |
|
| MA-3(5): Maintenance Tools | Execution with Privilege |
|
| MA-3(6): Maintenance Tools | Software Updates and Patches |
|
| MA-4: Nonlocal Maintenance |
|
| MA-4(1): Nonlocal Maintenance | Logging and Review |
|
| MA-4(2): Nonlocal Maintenance | Document Nonlocal Maintenance |
|
| MA-4(3): Nonlocal Maintenance | Comparable Security and Sanitization |
|
| MA-4(4): Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions |
|
| MA-4(5): Nonlocal Maintenance | Approvals and Notifications |
|
| MA-4(6): Nonlocal Maintenance | Cryptographic Protection |
|
| MA-4(7): Nonlocal Maintenance | Disconnect Verification |
|
| MA-5: Maintenance Personnel |
|
| MA-5(1): Maintenance Personnel | Individuals Without Appropriate Access |
|
| MA-5(2): Maintenance Personnel | Security Clearances for Classified Systems |
|
| MA-5(3): Maintenance Personnel | Citizenship Requirements for Classified Systems |
|
| MA-5(4): Maintenance Personnel | Foreign Nationals |
|
| MA-5(5): Maintenance Personnel | Non-system Maintenance |
|
| MA-6: Timely Maintenance |
|
| MA-6(1): Timely Maintenance | Preventive Maintenance |
|
| MA-6(2): Timely Maintenance | Predictive Maintenance |
|
| MA-6(3): Timely Maintenance | Automated Support for Predictive Maintenance |
|
| MA-7: Field Maintenance |
|
| MP-1: Policy and Procedures |
|
| MP-2: Media Access |
|
| MP-2(1): Media Access | Automated Restricted Access |
|
| MP-2(2): Media Access | Cryptographic Protection |
|
| MP-3: Media Marking |
|
| MP-4: Media Storage |
|
| MP-4(1): Media Storage | Cryptographic Protection |
|
| MP-4(2): Media Storage | Automated Restricted Access |
|
| MP-5: Media Transport |
|
| MP-5(1): Media Transport | Protection Outside of Controlled Areas |
|
| MP-5(2): Media Transport | Documentation of Activities |
|
| MP-5(3): Media Transport | Custodians |
|
| MP-5(4): Media Transport | Cryptographic Protection |
|
| MP-6: Media Sanitization |
|
| MP-6(1): Media Sanitization | Review, Approve, Track, Document, and Verify |
|
| MP-6(2): Media Sanitization | Equipment Testing |
|
| MP-6(3): Media Sanitization | Nondestructive Techniques |
|
| MP-6(4): Media Sanitization | Controlled Unclassified Information |
|
| MP-6(5): Media Sanitization | Classified Information |
|
| MP-6(6): Media Sanitization | Media Destruction |
|
| MP-6(7): Media Sanitization | Dual Authorization |
|
| MP-6(8): Media Sanitization | Remote Purging or Wiping of Information |
|
| MP-7: Media Use |
|
| MP-7(1): Media Use | Prohibit Use Without Owner |
|
| MP-7(2): Media Use | Prohibit Use of Sanitization-resistant Media |
|
| MP-8: Media Downgrading |
|
| MP-8(1): Media Downgrading | Documentation of Process |
|
| MP-8(2): Media Downgrading | Equipment Testing |
|
| MP-8(3): Media Downgrading | Controlled Unclassified Information |
|
| MP-8(4): Media Downgrading | Classified Information |
|
| PE-1: Policy and Procedures |
|
| PE-10: Emergency Shutoff |
|
| PE-10(1): Emergency Shutoff | Accidental and Unauthorized Activation |
|
| PE-11: Emergency Power |
|
| PE-11(1): Emergency Power | Alternate Power Supply — Minimal Operational Capability |
|
| PE-11(2): Emergency Power | Alternate Power Supply — Self-contained |
|
| PE-12: Emergency Lighting |
|
| PE-12(1): Emergency Lighting | Essential Mission and Business Functions |
|
| PE-13: Fire Protection |
|
| PE-13(1): Fire Protection | Detection Systems — Automatic Activation and Notification |
|
| PE-13(2): Fire Protection | Suppression Systems — Automatic Activation and Notification |
|
| PE-13(3): Fire Protection | Automatic Fire Suppression |
|
| PE-13(4): Fire Protection | Inspections |
|
| PE-14: Environmental Controls |
|
| PE-14(1): Environmental Controls | Automatic Controls |
|
| PE-14(2): Environmental Controls | Monitoring with Alarms and Notifications |
|
| PE-15: Water Damage Protection |
|
| PE-15(1): Water Damage Protection | Automation Support |
|
| PE-16: Delivery and Removal |
|
| PE-17: Alternate Work Site |
|
| PE-18: Location of System Components |
|
| PE-18(1): Location of System Components | Facility Site |
|
| PE-19: Information Leakage |
|
| PE-19(1): Information Leakage | National Emissions Policies and Procedures |
|
| PE-2: Physical Access Authorizations |
|
| PE-2(1): Physical Access Authorizations | Access by Position or Role |
|
| PE-2(2): Physical Access Authorizations | Two Forms of Identification |
|
| PE-2(3): Physical Access Authorizations | Restrict Unescorted Access |
|
| PE-20: Asset Monitoring and Tracking |
|
| PE-21: Electromagnetic Pulse Protection |
|
| PE-22: Component Marking |
|
| PE-23: Facility Location |
|
| PE-3: Physical Access Control |
|
| PE-3(1): Physical Access Control | System Access |
|
| PE-3(2): Physical Access Control | Facility and Systems |
|
| PE-3(3): Physical Access Control | Continuous Guards |
|
| PE-3(4): Physical Access Control | Lockable Casings |
|
| PE-3(5): Physical Access Control | Tamper Protection |
|
| PE-3(6): Physical Access Control | Facility Penetration Testing |
|
| PE-3(7): Physical Access Control | Physical Barriers |
|
| PE-3(8): Physical Access Control | Access Control Vestibules |
|
| PE-4: Access Control for Transmission |
|
| PE-5: Access Control for Output Devices |
|
| PE-5(1): Access Control for Output Devices | Access to Output by Authorized Individuals |
|
| PE-5(2): Access Control for Output Devices | Link to Individual Identity |
|
| PE-5(3): Access Control for Output Devices | Marking Output Devices |
|
| PE-6: Monitoring Physical Access |
|
| PE-6(1): Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment |
|
| PE-6(2): Monitoring Physical Access | Automated Intrusion Recognition and Responses |
|
| PE-6(3): Monitoring Physical Access | Video Surveillance |
|
| PE-6(4): Monitoring Physical Access | Monitoring Physical Access to Systems |
|
| PE-7: Visitor Control |
|
| PE-8: Visitor Access Records |
|
| PE-8(1): Visitor Access Records | Automated Records Maintenance and Review |
|
| PE-8(2): Visitor Access Records | Physical Access Records |
|
| PE-8(3): Visitor Access Records | Limit Personally Identifiable Information Elements |
|
| PE-9: Power Equipment and Cabling |
|
| PE-9(1): Power Equipment and Cabling | Redundant Cabling |
|
| PE-9(2): Power Equipment and Cabling | Automatic Voltage Controls |
|
| PL-1: Policy and Procedures |
|
| PL-10: Baseline Selection |
|
| PL-11: Baseline Tailoring |
|
| PL-2: System Security and Privacy Plans |
|
| PL-2(1): System Security and Privacy Plans | Concept of Operations |
|
| PL-2(2): System Security and Privacy Plans | Functional Architecture |
|
| PL-2(3): System Security and Privacy Plans | Plan and Coordinate with Other Organizational Entities |
|
| PL-3: System Security Plan Update |
|
| PL-4: Rules of Behavior |
|
| PL-4(1): Rules of Behavior | Social Media and External Site/application Usage Restrictions |
|
| PL-5: Privacy Impact Assessment |
|
| PL-6: Security-related Activity Planning |
|
| PL-7: Concept of Operations |
|
| PL-8: Security and Privacy Architectures |
|
| PL-8(1): Security and Privacy Architectures | Defense in Depth |
|
| PL-8(2): Security and Privacy Architectures | Supplier Diversity |
|
| PL-9: Central Management |
|
| PM-1: Information Security Program Plan |
|
| PM-10: Authorization Process |
|
| PM-11: Mission and Business Process Definition |
|
| PM-12: Insider Threat Program |
|
| PM-13: Security and Privacy Workforce |
|
| PM-14: Testing, Training, and Monitoring |
|
| PM-15: Security and Privacy Groups and Associations |
|
| PM-16: Threat Awareness Program |
|
| PM-16(1): Threat Awareness Program | Automated Means for Sharing Threat Intelligence |
|
| PM-17: Protecting Controlled Unclassified Information on External Systems |
|
| PM-18: Privacy Program Plan |
|
| PM-19: Privacy Program Leadership Role |
|
| PM-2: Information Security Program Leadership Role |
|
| PM-20: Dissemination of Privacy Program Information |
|
| PM-20(1): Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services |
|
| PM-21: Accounting of Disclosures |
|
| PM-22: Personally Identifiable Information Quality Management |
|
| PM-23: Data Governance Body |
|
| PM-24: Data Integrity Board |
|
| PM-25: Minimization of Personally Identifiable Information Used in Testing, Training, and Research |
|
| PM-26: Complaint Management |
|
| PM-27: Privacy Reporting |
|
| PM-28: Risk Framing |
|
| PM-29: Risk Management Program Leadership Roles |
|
| PM-3: Information Security and Privacy Resources |
|
| PM-30: Supply Chain Risk Management Strategy |
|
| PM-30(1): Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items |
|
| PM-31: Continuous Monitoring Strategy |
|
| PM-32: Purposing |
|
| PM-4: Plan of Action and Milestones Process |
|
| PM-5: System Inventory |
|
| PM-5(1): System Inventory | Inventory of Personally Identifiable Information |
|
| PM-6: Measures of Performance |
|
| PM-7: Enterprise Architecture |
|
| PM-7(1): Enterprise Architecture | Offloading |
|
| PM-8: Critical Infrastructure Plan |
|
| PM-9: Risk Management Strategy |
|
| PS-1: Policy and Procedures |
|
| PS-2: Position Risk Designation |
|
| PS-3: Personnel Screening |
|
| PS-3(1): Personnel Screening | Classified Information |
|
| PS-3(2): Personnel Screening | Formal Indoctrination |
|
| PS-3(3): Personnel Screening | Information Requiring Special Protective Measures |
|
| PS-3(4): Personnel Screening | Citizenship Requirements |
|
| PS-4: Personnel Termination |
|
| PS-4(1): Personnel Termination | Post-employment Requirements |
|
| PS-4(2): Personnel Termination | Automated Actions |
|
| PS-5: Personnel Transfer |
|
| PS-6: Access Agreements |
|
| PS-6(1): Access Agreements | Information Requiring Special Protection |
|
| PS-6(2): Access Agreements | Classified Information Requiring Special Protection |
|
| PS-6(3): Access Agreements | Post-employment Requirements |
|
| PS-7: External Personnel Security |
|
| PS-8: Personnel Sanctions |
|
| PS-9: Position Descriptions |
|
| PT-1: Policy and Procedures |
|
| PT-2: Authority to Process Personally Identifiable Information |
|
| PT-2(1): Authority to Process Personally Identifiable Information | Data Tagging |
|
| PT-2(2): Authority to Process Personally Identifiable Information | Automation |
|
| PT-3: Personally Identifiable Information Processing Purposes |
|
| PT-3(1): Personally Identifiable Information Processing Purposes | Data Tagging |
|
| PT-3(2): Personally Identifiable Information Processing Purposes | Automation |
|
| PT-4: Consent |
|
| PT-4(1): Consent | Tailored Consent |
|
| PT-4(2): Consent | Just-in-time Consent |
|
| PT-4(3): Consent | Revocation |
|
| PT-5: Privacy Notice |
|
| PT-5(1): Privacy Notice | Just-in-time Notice |
|
| PT-5(2): Privacy Notice | Privacy Act Statements |
|
| PT-6: System of Records Notice |
|
| PT-6(1): System of Records Notice | Routine Uses |
|
| PT-6(2): System of Records Notice | Exemption Rules |
|
| PT-7: Specific Categories of Personally Identifiable Information |
|
| PT-7(1): Specific Categories of Personally Identifiable Information | Social Security Numbers |
|
| PT-7(2): Specific Categories of Personally Identifiable Information | First Amendment Information |
|
| PT-8: Computer Matching Requirements |
|
| RA-1: Policy and Procedures |
|
| RA-10: Threat Hunting |
|
| RA-2: Security Categorization |
|
| RA-2(1): Security Categorization | Impact-level Prioritization |
|
| RA-3: Risk Assessment |
|
| RA-3(1): Risk Assessment | Supply Chain Risk Assessment |
|
| RA-3(2): Risk Assessment | Use of All-source Intelligence |
|
| RA-3(3): Risk Assessment | Dynamic Threat Awareness |
|
| RA-3(4): Risk Assessment | Predictive Cyber Analytics |
|
| RA-4: Risk Assessment Update |
|
| RA-5: Vulnerability Monitoring and Scanning |
|
| RA-5(1): Vulnerability Monitoring and Scanning | Update Tool Capability |
|
| RA-5(10): Vulnerability Monitoring and Scanning | Correlate Scanning Information |
|
| RA-5(11): Vulnerability Monitoring and Scanning | Public Disclosure Program |
|
| RA-5(2): Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned |
|
| RA-5(3): Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage |
|
| RA-5(4): Vulnerability Monitoring and Scanning | Discoverable Information |
|
| RA-5(5): Vulnerability Monitoring and Scanning | Privileged Access |
|
| RA-5(6): Vulnerability Monitoring and Scanning | Automated Trend Analyses |
|
| RA-5(7): Vulnerability Monitoring and Scanning | Automated Detection and Notification of Unauthorized Components |
|
| RA-5(8): Vulnerability Monitoring and Scanning | Review Historic Audit Logs |
|
| RA-5(9): Vulnerability Monitoring and Scanning | Penetration Testing and Analyses |
|
| RA-6: Technical Surveillance Countermeasures Survey |
|
| RA-7: Risk Response |
|
| RA-8: Privacy Impact Assessments |
|
| RA-9: Criticality Analysis |
|
| SA-1: Policy and Procedures |
|
| SA-10: Developer Configuration Management |
|
| SA-10(1): Developer Configuration Management | Software and Firmware Integrity Verification |
|
| SA-10(2): Developer Configuration Management | Alternative Configuration Management Processes |
|
| SA-10(3): Developer Configuration Management | Hardware Integrity Verification |
|
| SA-10(4): Developer Configuration Management | Trusted Generation |
|
| SA-10(5): Developer Configuration Management | Mapping Integrity for Version Control |
|
| SA-10(6): Developer Configuration Management | Trusted Distribution |
|
| SA-10(7): Developer Configuration Management | Security and Privacy Representatives |
|
| SA-11: Developer Testing and Evaluation |
|
| SA-11(1): Developer Testing and Evaluation | Static Code Analysis |
|
| SA-11(2): Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses |
|
| SA-11(3): Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence |
|
| SA-11(4): Developer Testing and Evaluation | Manual Code Reviews |
|
| SA-11(5): Developer Testing and Evaluation | Penetration Testing |
|
| SA-11(6): Developer Testing and Evaluation | Attack Surface Reviews |
|
| SA-11(7): Developer Testing and Evaluation | Verify Scope of Testing and Evaluation |
|
| SA-11(8): Developer Testing and Evaluation | Dynamic Code Analysis |
|
| SA-11(9): Developer Testing and Evaluation | Interactive Application Security Testing |
|
| SA-12: Supply Chain Protection |
|
| SA-12(1): Supply Chain Protection | Acquisition Strategies / Tools / Methods |
|
| SA-12(10): Supply Chain Protection | Validate as Genuine and Not Altered |
|
| SA-12(11): Supply Chain Protection | Penetration Testing / Analysis of Elements, Processes, and Actors |
|
| SA-12(12): Supply Chain Protection | Inter-organizational Agreements |
|
| SA-12(13): Supply Chain Protection | Critical Information System Components |
|
| SA-12(14): Supply Chain Protection | Identity and Traceability |
|
| SA-12(15): Supply Chain Protection | Processes to Address Weaknesses or Deficiencies |
|
| SA-12(2): Supply Chain Protection | Supplier Reviews |
|
| SA-12(3): Supply Chain Protection | Trusted Shipping and Warehousing |
|
| SA-12(4): Supply Chain Protection | Diversity of Suppliers |
|
| SA-12(5): Supply Chain Protection | Limitation of Harm |
|
| SA-12(6): Supply Chain Protection | Minimizing Procurement Time |
|
| SA-12(7): Supply Chain Protection | Assessments Prior to Selection / Acceptance / Update |
|
| SA-12(8): Supply Chain Protection | Use of All-source Intelligence |
|
| SA-12(9): Supply Chain Protection | Operations Security |
|
| SA-13: Trustworthiness |
|
| SA-14: Criticality Analysis |
|
| SA-14(1): Criticality Analysis | Critical Components with No Viable Alternative Sourcing |
|
| SA-15: Development Process, Standards, and Tools |
|
| SA-15(1): Development Process, Standards, and Tools | Quality Metrics |
|
| SA-15(10): Development Process, Standards, and Tools | Incident Response Plan |
|
| SA-15(11): Development Process, Standards, and Tools | Archive System or Component |
|
| SA-15(12): Development Process, Standards, and Tools | Minimize Personally Identifiable Information |
|
| SA-15(2): Development Process, Standards, and Tools | Security and Privacy Tracking Tools |
|
| SA-15(3): Development Process, Standards, and Tools | Criticality Analysis |
|
| SA-15(4): Development Process, Standards, and Tools | Threat Modeling and Vulnerability Analysis |
|
| SA-15(5): Development Process, Standards, and Tools | Attack Surface Reduction |
|
| SA-15(6): Development Process, Standards, and Tools | Continuous Improvement |
|
| SA-15(7): Development Process, Standards, and Tools | Automated Vulnerability Analysis |
|
| SA-15(8): Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information |
|
| SA-15(9): Development Process, Standards, and Tools | Use of Live Data |
|
| SA-16: Developer-provided Training |
|
| SA-17: Developer Security and Privacy Architecture and Design |
|
| SA-17(1): Developer Security and Privacy Architecture and Design | Formal Policy Model |
|
| SA-17(2): Developer Security and Privacy Architecture and Design | Security-relevant Components |
|
| SA-17(3): Developer Security and Privacy Architecture and Design | Formal Correspondence |
|
| SA-17(4): Developer Security and Privacy Architecture and Design | Informal Correspondence |
|
| SA-17(5): Developer Security and Privacy Architecture and Design | Conceptually Simple Design |
|
| SA-17(6): Developer Security and Privacy Architecture and Design | Structure for Testing |
|
| SA-17(7): Developer Security and Privacy Architecture and Design | Structure for Least Privilege |
|
| SA-17(8): Developer Security and Privacy Architecture and Design | Orchestration |
|
| SA-17(9): Developer Security and Privacy Architecture and Design | Design Diversity |
|
| SA-18: Tamper Resistance and Detection |
|
| SA-18(1): Tamper Resistance and Detection | Multiple Phases of System Development Life Cycle |
|
| SA-18(2): Tamper Resistance and Detection | Inspection of Systems or Components |
|
| SA-19: Component Authenticity |
|
| SA-19(1): Component Authenticity | Anti-counterfeit Training |
|
| SA-19(2): Component Authenticity | Configuration Control for Component Service and Repair |
|
| SA-19(3): Component Authenticity | Component Disposal |
|
| SA-19(4): Component Authenticity | Anti-counterfeit Scanning |
|
| SA-2: Allocation of Resources |
|
| SA-20: Customized Development of Critical Components |
|
| SA-21: Developer Screening |
|
| SA-21(1): Developer Screening | Validation of Screening |
|
| SA-22: Unsupported System Components |
|
| SA-22(1): Unsupported System Components | Alternative Sources for Continued Support |
|
| SA-23: Specialization |
|
| SA-3: System Development Life Cycle |
|
| SA-3(1): System Development Life Cycle | Manage Preproduction Environment |
|
| SA-3(2): System Development Life Cycle | Use of Live or Operational Data |
|
| SA-3(3): System Development Life Cycle | Technology Refresh |
|
| SA-4: Acquisition Process |
|
| SA-4(1): Acquisition Process | Functional Properties of Controls |
|
| SA-4(10): Acquisition Process | Use of Approved PIV Products |
|
| SA-4(11): Acquisition Process | System of Records |
|
| SA-4(12): Acquisition Process | Data Ownership |
|
| SA-4(2): Acquisition Process | Design and Implementation Information for Controls |
|
| SA-4(3): Acquisition Process | Development Methods, Techniques, and Practices |
|
| SA-4(4): Acquisition Process | Assignment of Components to Systems |
|
| SA-4(5): Acquisition Process | System, Component, and Service Configurations |
|
| SA-4(6): Acquisition Process | Use of Information Assurance Products |
|
| SA-4(7): Acquisition Process | NIAP-approved Protection Profiles |
|
| SA-4(8): Acquisition Process | Continuous Monitoring Plan for Controls |
|
| SA-4(9): Acquisition Process | Functions, Ports, Protocols, and Services in Use |
|
| SA-5: System Documentation |
|
| SA-5(1): System Documentation | Functional Properties of Security Controls |
|
| SA-5(2): System Documentation | Security-relevant External System Interfaces |
|
| SA-5(3): System Documentation | High-level Design |
|
| SA-5(4): System Documentation | Low-level Design |
|
| SA-5(5): System Documentation | Source Code |
|
| SA-6: Software Usage Restrictions |
|
| SA-7: User-installed Software |
|
| SA-8: Security and Privacy Engineering Principles |
|
| SA-8(1): Security and Privacy Engineering Principles | Clear Abstractions |
|
| SA-8(10): Security and Privacy Engineering Principles | Hierarchical Trust |
|
| SA-8(11): Security and Privacy Engineering Principles | Inverse Modification Threshold |
|
| SA-8(12): Security and Privacy Engineering Principles | Hierarchical Protection |
|
| SA-8(13): Security and Privacy Engineering Principles | Minimized Security Elements |
|
| SA-8(14): Security and Privacy Engineering Principles | Least Privilege |
|
| SA-8(15): Security and Privacy Engineering Principles | Predicate Permission |
|
| SA-8(16): Security and Privacy Engineering Principles | Self-reliant Trustworthiness |
|
| SA-8(17): Security and Privacy Engineering Principles | Secure Distributed Composition |
|
| SA-8(18): Security and Privacy Engineering Principles | Trusted Communications Channels |
|
| SA-8(19): Security and Privacy Engineering Principles | Continuous Protection |
|
| SA-8(2): Security and Privacy Engineering Principles | Least Common Mechanism |
|
| SA-8(20): Security and Privacy Engineering Principles | Secure Metadata Management |
|
| SA-8(21): Security and Privacy Engineering Principles | Self-analysis |
|
| SA-8(22): Security and Privacy Engineering Principles | Accountability and Traceability |
|
| SA-8(23): Security and Privacy Engineering Principles | Secure Defaults |
|
| SA-8(24): Security and Privacy Engineering Principles | Secure Failure and Recovery |
|
| SA-8(25): Security and Privacy Engineering Principles | Economic Security |
|
| SA-8(26): Security and Privacy Engineering Principles | Performance Security |
|
| SA-8(27): Security and Privacy Engineering Principles | Human Factored Security |
|
| SA-8(28): Security and Privacy Engineering Principles | Acceptable Security |
|
| SA-8(29): Security and Privacy Engineering Principles | Repeatable and Documented Procedures |
|
| SA-8(3): Security and Privacy Engineering Principles | Modularity and Layering |
|
| SA-8(30): Security and Privacy Engineering Principles | Procedural Rigor |
|
| SA-8(31): Security and Privacy Engineering Principles | Secure System Modification |
|
| SA-8(32): Security and Privacy Engineering Principles | Sufficient Documentation |
|
| SA-8(33): Security and Privacy Engineering Principles | Minimization |
|
| SA-8(4): Security and Privacy Engineering Principles | Partially Ordered Dependencies |
|
| SA-8(5): Security and Privacy Engineering Principles | Efficiently Mediated Access |
|
| SA-8(6): Security and Privacy Engineering Principles | Minimized Sharing |
|
| SA-8(7): Security and Privacy Engineering Principles | Reduced Complexity |
|
| SA-8(8): Security and Privacy Engineering Principles | Secure Evolvability |
|
| SA-8(9): Security and Privacy Engineering Principles | Trusted Components |
|
| SA-9: External System Services |
|
| SA-9(1): External System Services | Risk Assessments and Organizational Approvals |
|
| SA-9(2): External System Services | Identification of Functions, Ports, Protocols, and Services |
|
| SA-9(3): External System Services | Establish and Maintain Trust Relationship with Providers |
|
| SA-9(4): External System Services | Consistent Interests of Consumers and Providers |
|
| SA-9(5): External System Services | Processing, Storage, and Service Location |
|
| SA-9(6): External System Services | Organization-controlled Cryptographic Keys |
|
| SA-9(7): External System Services | Organization-controlled Integrity Checking |
|
| SA-9(8): External System Services | Processing and Storage Location — U.S. Jurisdiction |
|
| SC-1: Policy and Procedures |
|
| SC-10: Network Disconnect |
|
| SC-11: Trusted Path |
|
| SC-11(1): Trusted Path | Irrefutable Communications Path |
|
| SC-12: Cryptographic Key Establishment and Management |
|
| SC-12(1): Cryptographic Key Establishment and Management | Availability |
|
| SC-12(2): Cryptographic Key Establishment and Management | Symmetric Keys |
|
| SC-12(3): Cryptographic Key Establishment and Management | Asymmetric Keys |
|
| SC-12(4): Cryptographic Key Establishment and Management | PKI Certificates |
|
| SC-12(5): Cryptographic Key Establishment and Management | PKI Certificates / Hardware Tokens |
|
| SC-12(6): Cryptographic Key Establishment and Management | Physical Control of Keys |
|
| SC-13: Cryptographic Protection |
|
| SC-13(1): Cryptographic Protection | FIPS-validated Cryptography |
|
| SC-13(2): Cryptographic Protection | NSA-approved Cryptography |
|
| SC-13(3): Cryptographic Protection | Individuals Without Formal Access Approvals |
|
| SC-13(4): Cryptographic Protection | Digital Signatures |
|
| SC-14: Public Access Protections |
|
| SC-15: Collaborative Computing Devices and Applications |
|
| SC-15(1): Collaborative Computing Devices and Applications | Physical or Logical Disconnect |
|
| SC-15(2): Collaborative Computing Devices and Applications | Blocking Inbound and Outbound Communications Traffic |
|
| SC-15(3): Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas |
|
| SC-15(4): Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants |
|
| SC-16: Transmission of Security and Privacy Attributes |
|
| SC-16(1): Transmission of Security and Privacy Attributes | Integrity Verification |
|
| SC-16(2): Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms |
|
| SC-16(3): Transmission of Security and Privacy Attributes | Cryptographic Binding |
|
| SC-17: Public Key Infrastructure Certificates |
|
| SC-18: Mobile Code |
|
| SC-18(1): Mobile Code | Identify Unacceptable Code and Take Corrective Actions |
|
| SC-18(2): Mobile Code | Acquisition, Development, and Use |
|
| SC-18(3): Mobile Code | Prevent Downloading and Execution |
|
| SC-18(4): Mobile Code | Prevent Automatic Execution |
|
| SC-18(5): Mobile Code | Allow Execution Only in Confined Environments |
|
| SC-19: Voice Over Internet Protocol |
|
| SC-2: Separation of System and User Functionality |
|
| SC-2(1): Separation of System and User Functionality | Interfaces for Non-privileged Users |
|
| SC-2(2): Separation of System and User Functionality | Disassociability |
|
| SC-20: Secure Name/address Resolution Service (authoritative Source) |
|
| SC-20(1): Secure Name/address Resolution Service (authoritative Source) | Child Subspaces |
|
| SC-20(2): Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity |
|
| SC-21: Secure Name/address Resolution Service (recursive or Caching Resolver) |
|
| SC-21(1): Secure Name/address Resolution Service (recursive or Caching Resolver) | Data Origin and Integrity |
|
| SC-22: Architecture and Provisioning for Name/address Resolution Service |
|
| SC-23: Session Authenticity |
|
| SC-23(1): Session Authenticity | Invalidate Session Identifiers at Logout |
|
| SC-23(2): Session Authenticity | User-initiated Logouts and Message Displays |
|
| SC-23(3): Session Authenticity | Unique System-generated Session Identifiers |
|
| SC-23(4): Session Authenticity | Unique Session Identifiers with Randomization |
|
| SC-23(5): Session Authenticity | Allowed Certificate Authorities |
|
| SC-24: Fail in Known State |
|
| SC-25: Thin Nodes |
|
| SC-26: Decoys |
|
| SC-26(1): Decoys | Detection of Malicious Code |
|
| SC-27: Platform-independent Applications |
|
| SC-28: Protection of Information at Rest |
|
| SC-28(1): Protection of Information at Rest | Cryptographic Protection |
|
| SC-28(2): Protection of Information at Rest | Offline Storage |
|
| SC-28(3): Protection of Information at Rest | Cryptographic Keys |
|
| SC-29: Heterogeneity |
|
| SC-29(1): Heterogeneity | Virtualization Techniques |
|
| SC-3: Security Function Isolation |
|
| SC-3(1): Security Function Isolation | Hardware Separation |
|
| SC-3(2): Security Function Isolation | Access and Flow Control Functions |
|
| SC-3(3): Security Function Isolation | Minimize Nonsecurity Functionality |
|
| SC-3(4): Security Function Isolation | Module Coupling and Cohesiveness |
|
| SC-3(5): Security Function Isolation | Layered Structures |
|
| SC-30: Concealment and Misdirection |
|
| SC-30(1): Concealment and Misdirection | Virtualization Techniques |
|
| SC-30(2): Concealment and Misdirection | Randomness |
|
| SC-30(3): Concealment and Misdirection | Change Processing and Storage Locations |
|
| SC-30(4): Concealment and Misdirection | Misleading Information |
|
| SC-30(5): Concealment and Misdirection | Concealment of System Components |
|
| SC-31: Covert Channel Analysis |
|
| SC-31(1): Covert Channel Analysis | Test Covert Channels for Exploitability |
|
| SC-31(2): Covert Channel Analysis | Maximum Bandwidth |
|
| SC-31(3): Covert Channel Analysis | Measure Bandwidth in Operational Environments |
|
| SC-32: System Partitioning |
|
| SC-32(1): System Partitioning | Separate Physical Domains for Privileged Functions |
|
| SC-33: Transmission Preparation Integrity |
|
| SC-34: Non-modifiable Executable Programs |
|
| SC-34(1): Non-modifiable Executable Programs | No Writable Storage |
|
| SC-34(2): Non-modifiable Executable Programs | Integrity Protection on Read-only Media |
|
| SC-34(3): Non-modifiable Executable Programs | Hardware-based Protection |
|
| SC-35: External Malicious Code Identification |
|
| SC-36: Distributed Processing and Storage |
|
| SC-36(1): Distributed Processing and Storage | Polling Techniques |
|
| SC-36(2): Distributed Processing and Storage | Synchronization |
|
| SC-37: Out-of-band Channels |
|
| SC-37(1): Out-of-band Channels | Ensure Delivery and Transmission |
|
| SC-38: Operations Security |
|
| SC-39: Process Isolation |
|
| SC-39(1): Process Isolation | Hardware Separation |
|
| SC-39(2): Process Isolation | Separate Execution Domain Per Thread |
|
| SC-4: Information in Shared System Resources |
|
| SC-4(1): Information in Shared System Resources | Security Levels |
|
| SC-4(2): Information in Shared System Resources | Multilevel or Periods Processing |
|
| SC-40: Wireless Link Protection |
|
| SC-40(1): Wireless Link Protection | Electromagnetic Interference |
|
| SC-40(2): Wireless Link Protection | Reduce Detection Potential |
|
| SC-40(3): Wireless Link Protection | Imitative or Manipulative Communications Deception |
|
| SC-40(4): Wireless Link Protection | Signal Parameter Identification |
|
| SC-41: Port and I/O Device Access |
|
| SC-42: Sensor Capability and Data |
|
| SC-42(1): Sensor Capability and Data | Reporting to Authorized Individuals or Roles |
|
| SC-42(2): Sensor Capability and Data | Authorized Use |
|
| SC-42(3): Sensor Capability and Data | Prohibit Use of Devices |
|
| SC-42(4): Sensor Capability and Data | Notice of Collection |
|
| SC-42(5): Sensor Capability and Data | Collection Minimization |
|
| SC-43: Usage Restrictions |
|
| SC-44: Detonation Chambers |
|
| SC-45: System Time Synchronization |
|
| SC-45(1): System Time Synchronization | Synchronization with Authoritative Time Source |
|
| SC-45(2): System Time Synchronization | Secondary Authoritative Time Source |
|
| SC-46: Cross Domain Policy Enforcement |
|
| SC-47: Alternate Communications Paths |
|
| SC-48: Sensor Relocation |
|
| SC-48(1): Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities |
|
| SC-49: Hardware-enforced Separation and Policy Enforcement |
|
| SC-5: Denial-of-service Protection |
|
| SC-5(1): Denial-of-service Protection | Restrict Ability to Attack Other Systems |
|
| SC-5(2): Denial-of-service Protection | Capacity, Bandwidth, and Redundancy |
|
| SC-5(3): Denial-of-service Protection | Detection and Monitoring |
|
| SC-50: Software-enforced Separation and Policy Enforcement |
|
| SC-51: Hardware-based Protection |
|
| SC-6: Resource Availability |
|
| SC-7: Boundary Protection |
|
| SC-7.b : Content inspection |
|
| SC-7.d : URL filtering |
|
| SC-7.g : Authentication / Authorization |
|
| SC-7.h: Category blocking |
|
| SC-7(1): Boundary Protection | Physically Separated Subnetworks |
|
| SC-7(10): Boundary Protection | Prevent Exfiltration |
|
| SC-7(11): Boundary Protection | Restrict Incoming Communications Traffic |
|
| SC-7(12): Boundary Protection | Host-based Protection |
|
| SC-7(13): Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components |
|
| SC-7(14): Boundary Protection | Protect Against Unauthorized Physical Connections |
|
| SC-7(15): Boundary Protection | Networked Privileged Accesses |
|
| SC-7(16): Boundary Protection | Prevent Discovery of System Components |
|
| SC-7(17): Boundary Protection | Automated Enforcement of Protocol Formats |
|
| SC-7(18): Boundary Protection | Fail Secure |
|
| SC-7(19): Boundary Protection | Block Communication from Non-organizationally Configured Hosts |
|
| SC-7(2): Boundary Protection | Public Access |
|
| SC-7(20): Boundary Protection | Dynamic Isolation and Segregation |
|
| SC-7(21): Boundary Protection | Isolation of System Components |
|
| SC-7(22): Boundary Protection | Separate Subnets for Connecting to Different Security Domains |
|
| SC-7(23): Boundary Protection | Disable Sender Feedback on Protocol Validation Failure |
|
| SC-7(24): Boundary Protection | Personally Identifiable Information |
|
| SC-7(25): Boundary Protection | Unclassified National Security System Connections |
|
| SC-7(26): Boundary Protection | Classified National Security System Connections |
|
| SC-7(27): Boundary Protection | Unclassified Non-national Security System Connections |
|
| SC-7(28): Boundary Protection | Connections to Public Networks |
|
| SC-7(29): Boundary Protection | Separate Subnets to Isolate Functions |
|
| SC-7(3): Boundary Protection | Access Points |
|
| SC-7(4): Boundary Protection | External Telecommunications Services |
|
| SC-7(5): Boundary Protection | Deny by Default — Allow by Exception |
|
| SC-7(6): Boundary Protection | Response to Recognized Failures |
|
| SC-7(7): Boundary Protection | Split Tunneling for Remote Devices |
|
| SC-7(8): Boundary Protection | Route Traffic to Authenticated Proxy Servers |
|
| SC-7(9): Boundary Protection | Restrict Threatening Outgoing Communications Traffic |
|
| SC-8: Transmission Confidentiality and Integrity |
|
| SC-8(1): Transmission Confidentiality and Integrity | Cryptographic Protection |
|
| SC-8(2): Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling |
|
| SC-8(3): Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals |
|
| SC-8(4): Transmission Confidentiality and Integrity | Conceal or Randomize Communications |
|
| SC-8(5): Transmission Confidentiality and Integrity | Protected Distribution System |
|
| SC-9: Transmission Confidentiality |
|
| SI-1: Policy and Procedures |
|
| SI-10: Information Input Validation |
|
| SI-10(1): Information Input Validation | Manual Override Capability |
|
| SI-10(2): Information Input Validation | Review and Resolve Errors |
|
| SI-10(3): Information Input Validation | Predictable Behavior |
|
| SI-10(4): Information Input Validation | Timing Interactions |
|
| SI-10(5): Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats |
|
| SI-10(6): Information Input Validation | Injection Prevention |
|
| SI-11: Error Handling |
|
| SI-12: Information Management and Retention |
|
| SI-12(1): Information Management and Retention | Limit Personally Identifiable Information Elements |
|
| SI-12(2): Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research |
|
| SI-12(3): Information Management and Retention | Information Disposal |
|
| SI-13: Predictable Failure Prevention |
|
| SI-13(1): Predictable Failure Prevention | Transferring Component Responsibilities |
|
| SI-13(2): Predictable Failure Prevention | Time Limit on Process Execution Without Supervision |
|
| SI-13(3): Predictable Failure Prevention | Manual Transfer Between Components |
|
| SI-13(4): Predictable Failure Prevention | Standby Component Installation and Notification |
|
| SI-13(5): Predictable Failure Prevention | Failover Capability |
|
| SI-14: Non-persistence |
|
| SI-14(1): Non-persistence | Refresh from Trusted Sources |
|
| SI-14(2): Non-persistence | Non-persistent Information |
|
| SI-14(3): Non-persistence | Non-persistent Connectivity |
|
| SI-15: Information Output Filtering |
|
| SI-16: Memory Protection |
|
| SI-17: Fail-safe Procedures |
|
| SI-18: Personally Identifiable Information Quality Operations |
|
| SI-18(1): Personally Identifiable Information Quality Operations | Automation Support |
|
| SI-18(2): Personally Identifiable Information Quality Operations | Data Tags |
|
| SI-18(3): Personally Identifiable Information Quality Operations | Collection |
|
| SI-18(4): Personally Identifiable Information Quality Operations | Individual Requests |
|
| SI-18(5): Personally Identifiable Information Quality Operations | Notice of Correction or Deletion |
|
| SI-19: De-identification |
|
| SI-19(1): De-identification | Collection |
|
| SI-19(2): De-identification | Archiving |
|
| SI-19(3): De-identification | Release |
|
| SI-19(4): De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers |
|
| SI-19(5): De-identification | Statistical Disclosure Control |
|
| SI-19(6): De-identification | Differential Privacy |
|
| SI-19(7): De-identification | Validated Algorithms and Software |
|
| SI-19(8): De-identification | Motivated Intruder |
|
| SI-2: Flaw Remediation |
|
| SI-2(1): Flaw Remediation | Central Management |
|
| SI-2(2): Flaw Remediation | Automated Flaw Remediation Status |
|
| SI-2(3): Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions |
|
| SI-2(4): Flaw Remediation | Automated Patch Management Tools |
|
| SI-2(5): Flaw Remediation | Automatic Software and Firmware Updates |
|
| SI-2(6): Flaw Remediation | Removal of Previous Versions of Software and Firmware |
|
| SI-20: Tainting |
|
| SI-21: Information Refresh |
|
| SI-22: Information Diversity |
|
| SI-23: Information Fragmentation |
|
| SI-3: Malicious Code Protection |
|
| SI-3(1): Malicious Code Protection | Central Management |
|
| SI-3(10): Malicious Code Protection | Malicious Code Analysis |
|
| SI-3(2): Malicious Code Protection | Automatic Updates |
|
| SI-3(3): Malicious Code Protection | Non-privileged Users |
|
| SI-3(4): Malicious Code Protection | Updates Only by Privileged Users |
|
| SI-3(5): Malicious Code Protection | Portable Storage Devices |
|
| SI-3(6): Malicious Code Protection | Testing and Verification |
|
| SI-3(7): Malicious Code Protection | Nonsignature-based Detection |
|
| SI-3(8): Malicious Code Protection | Detect Unauthorized Commands |
|
| SI-3(9): Malicious Code Protection | Authenticate Remote Commands |
|
| SI-4: System Monitoring |
|
| SI-4(1): System Monitoring | System-wide Intrusion Detection System |
|
| SI-4(10): System Monitoring | Visibility of Encrypted Communications |
|
| SI-4(11): System Monitoring | Analyze Communications Traffic Anomalies |
|
| SI-4(12): System Monitoring | Automated Organization-generated Alerts |
|
| SI-4(13): System Monitoring | Analyze Traffic and Event Patterns |
|
| SI-4(14): System Monitoring | Wireless Intrusion Detection |
|
| SI-4(15): System Monitoring | Wireless to Wireline Communications |
|
| SI-4(16): System Monitoring | Correlate Monitoring Information |
|
| SI-4(17): System Monitoring | Integrated Situational Awareness |
|
| SI-4(18): System Monitoring | Analyze Traffic and Covert Exfiltration |
|
| SI-4(19): System Monitoring | Risk for Individuals |
|
| SI-4(2): System Monitoring | Automated Tools and Mechanisms for Real-time Analysis |
|
| SI-4(20): System Monitoring | Privileged Users |
|
| SI-4(21): System Monitoring | Probationary Periods |
|
| SI-4(22): System Monitoring | Unauthorized Network Services |
|
| SI-4(23): System Monitoring | Host-based Devices |
|
| SI-4(24): System Monitoring | Indicators of Compromise |
|
| SI-4(25): System Monitoring | Optimize Network Traffic Analysis |
|
| SI-4(3): System Monitoring | Automated Tool and Mechanism Integration |
|
| SI-4(4): System Monitoring | Inbound and Outbound Communications Traffic |
|
| SI-4(5): System Monitoring | System-generated Alerts |
|
| SI-4(6): System Monitoring | Restrict Non-privileged Users |
|
| SI-4(7): System Monitoring | Automated Response to Suspicious Events |
|
| SI-4(8): System Monitoring | Protection of Monitoring Information |
|
| SI-4(9): System Monitoring | Testing of Monitoring Tools and Mechanisms |
|
| SI-5: Security Alerts, Advisories, and Directives |
|
| SI-5(1): Security Alerts, Advisories, and Directives | Automated Alerts and Advisories |
|
| SI-6: Security and Privacy Function Verification |
|
| SI-6(1): Security and Privacy Function Verification | Notification of Failed Security Tests |
|
| SI-6(2): Security and Privacy Function Verification | Automation Support for Distributed Testing |
|
| SI-6(3): Security and Privacy Function Verification | Report Verification Results |
|
| SI-7: Software, Firmware, and Information Integrity |
|
| SI-7(1): Software, Firmware, and Information Integrity | Integrity Checks |
|
| SI-7(10): Software, Firmware, and Information Integrity | Protection of Boot Firmware |
|
| SI-7(11): Software, Firmware, and Information Integrity | Confined Environments with Limited Privileges |
|
| SI-7(12): Software, Firmware, and Information Integrity | Integrity Verification |
|
| SI-7(13): Software, Firmware, and Information Integrity | Code Execution in Protected Environments |
|
| SI-7(14): Software, Firmware, and Information Integrity | Binary or Machine Executable Code |
|
| SI-7(15): Software, Firmware, and Information Integrity | Code Authentication |
|
| SI-7(16): Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision |
|
| SI-7(17): Software, Firmware, and Information Integrity | Runtime Application Self-protection |
|
| SI-7(2): Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations |
|
| SI-7(3): Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools |
|
| SI-7(4): Software, Firmware, and Information Integrity | Tamper-evident Packaging |
|
| SI-7(5): Software, Firmware, and Information Integrity | Automated Response to Integrity Violations |
|
| SI-7(6): Software, Firmware, and Information Integrity | Cryptographic Protection |
|
| SI-7(7): Software, Firmware, and Information Integrity | Integration of Detection and Response |
|
| SI-7(8): Software, Firmware, and Information Integrity | Auditing Capability for Significant Events |
|
| SI-7(9): Software, Firmware, and Information Integrity | Verify Boot Process |
|
| SI-8: Spam Protection |
|
| SI-8(1): Spam Protection | Central Management |
|
| SI-8(2): Spam Protection | Automatic Updates |
|
| SI-8(3): Spam Protection | Continuous Learning Capability |
|
| SI-9: Information Input Restrictions |
|
| SR-1: Policy and Procedures |
|
| SR-10: Inspection of Systems or Components |
|
| SR-11: Component Authenticity |
|
| SR-11(1): Component Authenticity | Anti-counterfeit Training |
|
| SR-11(2): Component Authenticity | Configuration Control for Component Service and Repair |
|
| SR-11(3): Component Authenticity | Anti-counterfeit Scanning |
|
| SR-12: Component Disposal |
|
| SR-2: Supply Chain Risk Management Plan |
|
| SR-2(1): Supply Chain Risk Management Plan | Establish SCRM Team |
|
| SR-3: Supply Chain Controls and Processes |
|
| SR-3(1): Supply Chain Controls and Processes | Diverse Supply Base |
|
| SR-3(2): Supply Chain Controls and Processes | Limitation of Harm |
|
| SR-3(3): Supply Chain Controls and Processes | Sub-tier Flow Down |
|
| SR-4: Provenance |
|
| SR-4(1): Provenance | Identity |
|
| SR-4(2): Provenance | Track and Trace |
|
| SR-4(3): Provenance | Validate as Genuine and Not Altered |
|
| SR-4(4): Provenance | Supply Chain Integrity — Pedigree |
|
| SR-5: Acquisition Strategies, Tools, and Methods |
|
| SR-5(1): Acquisition Strategies, Tools, and Methods | Adequate Supply |
|
| SR-5(2): Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update |
|
| SR-6: Supplier Assessments and Reviews |
|
| SR-6(1): Supplier Assessments and Reviews | Testing and Analysis |
|
| SR-7: Supply Chain Operations Security |
|
| SR-8: Notification Agreements |
|
| SR-9: Tamper Resistance and Detection |
|
| SR-9(1): Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle |
|
