(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804

Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements
01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control
02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection
03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management
04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering
05: Ma 10: Se 15: Controlled A 20: Pe
1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
ACCESS CONTROL ACCESS CONTROL
AC-01 ACCESS CONTROL POLICY AND PROCEDURES • AC-01
P1 LOW •
AC-02 ACCOUNT MANAGEMENT • • • AC-02
P1 LOW AC-2 (1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT • • • AC-2 (1)
AC-2 (2) REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS • • • AC-2 (2)
AC-2 (3) DISABLE INACTIVE ACCOUNTS • • • AC-2 (3)
AC-2 (4) AUTOMATED AUDIT ACTIONS • • • AC-2 (4)
AC-2 (5) INACTIVITY LOGOUT • • • AC-2 (5)
AC-2 (6) DYNAMIC PRIVILEGE MANAGEMENT • • • AC-2 (6)
AC-2 (7) ROLE-BASED SCHEMES • • • AC-2 (7)
AC-2 (8) DYNAMIC ACCOUNT CREATION • • • AC-2 (8)
AC-2 (9) RESTRICTIONS ON USE OF SHARED GROUPS / ACCOUNTS • • • AC-2 (9)
AC-2 (10) SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION • • • AC-2 (10)
AC-2 (11) USAGE CONDITIONS • • • AC-2 (11)
AC-2 (12) ACCOUNT MONITORING / ATYPICAL USAGE • • • AC-2 (12)
AC-2 (13) DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS • • • AC-2 (13)
AC-03 ACCESS ENFORCEMENT • • • AC-03
P1 LOW AC-3 (1) RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS • • • AC-3 (1)
AC-3 (2) DUAL AUTHORIZATION • • • AC-3 (2)
AC-3 (3) MANDATORY ACCESS CONTROL • • • AC-3 (3)
AC-3 (4) DISCRETIONARY ACCESS CONTROL • • • AC-3 (4)
AC-3 (5) SECURITY-RELEVANT INFORMATION • • • AC-3 (5)
AC-3 (6) PROTECTION OF USER AND SYSTEM INFORMATION • • • AC-3 (6)
AC-3 (7) ROLE-BASED ACCESS CONTROL • • • AC-3 (7)
AC-3 (8) REVOCATION OF ACCESS AUTHORIZATIONS • • • AC-3 (8)
AC-3 (9) CONTROLLED RELEASE • • • AC-3 (9)
AC-3 (10) AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS • • • AC-3 (10)
AC-04 INFORMATION FLOW ENFORCEMENT • • • • • AC-04
P1 MODERATE AC-4 (1) OBJECT SECURITY ATTRIBUTES • • • • • AC-4 (1)
AC-4 (2) PROCESSING DOMAINS • • • • • AC-4 (2)
AC-4 (3) DYNAMIC INFORMATION FLOW CONTROL • • • • • AC-4 (3)
AC-4 (4) CONTENT CHECK ENCRYPTED INFORMATION • • • • • AC-4 (4)
AC-4 (5) EMBEDDED DATA TYPES • • • • • AC-4 (5)
AC-4 (6) METADATA • • • • • AC-4 (6)
AC-4 (7) ONE-WAY FLOW MECHANISMS • • • • • AC-4 (7)
AC-4 (8) SECURITY POLICY FILTERS • • • • • AC-4 (8)
AC-4 (9) HUMAN REVIEWS • • • • • AC-4 (9)
AC-4 (10) ENABLE / DISABLE SECURITY POLICY FILTERS • • • • • AC-4 (10)
AC-4 (11) CONFIGURATION OF SECURITY POLICY FILTERS • • • • • AC-4 (11)
AC-4 (12) DATA TYPE IDENTIFIERS • • • • • AC-4 (12)
AC-4 (13) DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS • • • • • AC-4 (13)
AC-4 (14) SECURITY POLICY FILTER CONSTRAINTS • • • • • AC-4 (14)
AC-4 (15) DETECTION OF UNSANCTIONED INFORMATION • • • • • AC-4 (15)
ENHANCEMENTS TABLE Page 1 of 26

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
AC-04 P1 MODERATE AC-4 (16) INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS • • • • • AC-4 (16)
AC-4 (17) DOMAIN AUTHENTICATION • • • • • AC-4 (17)
AC-4 (18) SECURITY ATTRIBUTE BINDING • • • • • AC-4 (18)
AC-4 (19) VALIDATION OF METADATA • • • • • AC-4 (19)
AC-4 (20) APPROVED SOLUTIONS • • • • • AC-4 (20)
AC-4 (21) PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS • • • • • AC-4 (21)
AC-4 (22) ACCESS ONLY • • • • • AC-4 (22)
AC-05 SEPARATION OF DUTIES AC-05
P1 MODERATE
AC-06 LEAST PRIVILEGE • • AC-06
P1 MODERATE AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS • • AC-6 (1)
AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS • • AC-6 (2)
AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS • • AC-6 (3)
AC-6 (4) SEPARATE PROCESSING DOMAINS • • AC-6 (4)
AC-6 (5) PRIVILEGED ACCOUNTS • • AC-6 (5)
AC-6 (6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS • • AC-6 (6)
AC-6 (7) REVIEW OF USER PRIVILEGES • • AC-6 (7)
AC-6 (8) PRIVILEGE LEVELS FOR CODE EXECUTION • • AC-6 (8)
AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS • • AC-6 (9)
AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS • • AC-6 (10)
AC-07 UNSUCCESSFUL LOGON ATTEMPTS • AC-07
P2 LOW AC-7 (1) AUTOMATIC ACCOUNT LOCK • AC-7 (1)
AC-7 (2) PURGE / WIPE MOBILE DEVICE • AC-7 (2)
AC-08 SYSTEM USE NOTIFICATION AC-08
P1 LOW
AC-09 PREVIOUS LOGON (ACCESS) NOTIFICATION AC-09
P0 AC-9 (1) UNSUCCESSFUL LOGONS AC-9 (1)
AC-9 (2) SUCCESSFUL / UNSUCCESSFUL LOGONS AC-9 (2)
AC-9 (3) NOTIFICATION OF ACCOUNT CHANGES AC-9 (3)
AC-9 (4) ADDITIONAL LOGON INFORMATION AC-9 (4)
AC-10 CONCURRENT SESSION CONTROL AC-10
P3 HIGH
AC-11 SESSION LOCK • AC-11
P3 MODERATE AC-11 (1) PATTERN-HIDING DISPLAYS • AC-11 (1)
AC-12 SESSION TERMINATION • AC-12
P2 MODERATE AC-12 (1) USER-INITIATED LOGOUTS / MESSAGE DISPLAYS • AC-12 (1)
AC-13 SUPERVISION AND REVIEW ' ACCESS CONTROL AC-13
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION AC-14
P3 LOW AC-14 (1) NECESSARY USES AC-14 (1)
AC-15 AUTOMATED MARKING AC-15

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
AC-15
AC-16 SECURITY ATTRIBUTES AC-16
P0 AC-16 (1) DYNAMIC ATTRIBUTE ASSOCIATION AC-16 (1)
AC-16 (2) ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS AC-16 (2)
AC-16 (3) MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEM AC-16 (3)
AC-16 (4) ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS AC-16 (4)
AC-16 (5) ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES AC-16 (5)
AC-16 (6) MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION AC-16 (6)
AC-16 (7) CONSISTENT ATTRIBUTE INTERPRETATION AC-16 (7)
AC-16 (8) ASSOCIATION TECHNIQUES / TECHNOLOGIES AC-16 (8)
AC-16 (9) ATTRIBUTE REASSIGNMENT AC-16 (9)
AC-16 (10) ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS AC-16 (10)
AC-17 REMOTE ACCESS • • AC-17
P1 LOW AC-17 (1) AUTOMATED MONITORING / CONTROL • • AC-17 (1)
AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION • • AC-17 (2)
AC-17 (3) MANAGED ACCESS CONTROL POINTS • • AC-17 (3)
AC-17 (4) PRIVILEGED COMMANDS / ACCESS • • AC-17 (4)
AC-17 (5) MONITORING FOR UNAUTHORIZED CONNECTIONS • • AC-17 (5)
AC-17 (6) PROTECTION OF INFORMATION • • AC-17 (6)
AC-17 (7) ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS • • AC-17 (7)
AC-17 (8) DISABLE NONSECURE NETWORK PROTOCOLS • • AC-17 (8)
AC-17 (9) DISCONNECT / DISABLE ACCESS • • AC-17 (9)
AC-18 WIRELESS ACCESS • AC-18
P1 LOW AC-18 (1) AUTHENTICATION AND ENCRYPTION • AC-18 (1)
AC-18 (2) MONITORING UNAUTHORIZED CONNECTIONS • AC-18 (2)
AC-18 (3) DISABLE WIRELESS NETWORKING • AC-18 (3)
AC-18 (4) RESTRICT CONFIGURATIONS BY USERS • AC-18 (4)
AC-18 (5) ANTENNAS / TRANSMISSION POWER LEVELS • AC-18 (5)
AC-19 ACCESS CONTROL FOR MOBILE DEVICES • • AC-19
P1 LOW AC-19 (1) USE OF WRITABLE / PORTABLE STORAGE DEVICES • • AC-19 (1)
AC-19 (2) USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES • • AC-19 (2)
AC-19 (3) USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER • • AC-19 (3)
AC-19 (4) RESTRICTIONS FOR CLASSIFIED INFORMATION • • AC-19 (4)
AC-19 (5) FULL DEVICE / CONTAINER-BASED ENCRYPTION • • AC-19 (5)
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS • AC-20
P1 LOW AC-20 (1) LIMITS ON AUTHORIZED USE • AC-20 (1)
AC-20 (2) PORTABLE STORAGE DEVICES • AC-20 (2)
AC-20 (3) NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES • AC-20 (3)
AC-20 (4) NETWORK ACCESSIBLE STORAGE DEVICES • AC-20 (4)
AC-21 INFORMATION SHARING AC-21
P2 MODERATE AC-21 (1) AUTOMATED DECISION SUPPORT AC-21 (1)
AC-21 (2) INFORMATION SEARCH AND RETRIEVAL AC-21 (2)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
AC-22 PUBLICLY ACCESSIBLE CONTENT AC-22
P3 LOW
AC-23 DATA MINING PROTECTION • • AC-23
P0 • •
AC-24 ACCESS CONTROL DECISIONS • AC-24
P0 AC-24 (1) TRANSMIT ACCESS AUTHORIZATION INFORMATION • AC-24 (1)
AC-24 (2) NO USER OR PROCESS IDENTITY • AC-24 (2)
AC-25 REFERENCE MONITOR AC-25
P0
AUDIT AND ACCOUNTABILITY AUDIT AND ACCOUNTABILITY
AU-01 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES AU-01
P1 LOW
AU-02 AUDIT EVENTS • AU-02
P1 LOW AU-2 (1) COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES • AU-2 (1)
AU-2 (2) SELECTION OF AUDIT EVENTS BY COMPONENT • AU-2 (2)
AU-2 (3) REVIEWS AND UPDATES • AU-2 (3)
AU-2 (4) PRIVILEGED FUNCTIONS • AU-2 (4)
AU-03 CONTENT OF AUDIT RECORDS • AU-03
P1 LOW AU-3 (1) ADDITIONAL AUDIT INFORMATION • AU-3 (1)
AU-3 (2) CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT • AU-3 (2)
AU-04 AUDIT STORAGE CAPACITY • AU-04
P1 LOW AU-4 (1) TRANSFER TO ALTERNATE STORAGE • AU-4 (1)
AU-05 RESPONSE TO AUDIT PROCESSING FAILURES • AU-05
P1 LOW AU-5 (1) AUDIT STORAGE CAPACITY • AU-5 (1)
AU-5 (2) REAL-TIME ALERTS • AU-5 (2)
AU-5 (3) CONFIGURABLE TRAFFIC VOLUME THRESHOLDS • AU-5 (3)
AU-5 (4) SHUTDOWN ON FAILURE • AU-5 (4)
AU-06 AUDIT REVIEW, ANALYSIS, AND REPORTING • AU-06
P1 LOW AU-6 (1) PROCESS INTEGRATION • AU-6 (1)
AU-6 (2) AUTOMATED SECURITY ALERTS • AU-6 (2)
AU-6 (3) CORRELATE AUDIT REPOSITORIES • AU-6 (3)
AU-6 (4) CENTRAL REVIEW AND ANALYSIS • AU-6 (4)
AU-6 (5) INTEGRATION / SCANNING AND MONITORING CAPABILITIES • AU-6 (5)
AU-6 (6) CORRELATION WITH PHYSICAL MONITORING • AU-6 (6)
AU-6 (7) PERMITTED ACTIONS • AU-6 (7)
AU-6 (8) FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS • AU-6 (8)
AU-6 (9) CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES • AU-6 (9)
AU-6 (10) AUDIT LEVEL ADJUSTMENT • AU-6 (10)
AU-07 AUDIT REDUCTION AND REPORT GENERATION • AU-07
P2 MODERATE AU-7 (1) AUTOMATIC PROCESSING • AU-7 (1)
AU-7 (2) AUTOMATIC SORT AND SEARCH • AU-7 (2)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
AU-07 P2 MODERATE
AU-08 TIME STAMPS • AU-08
P1 LOW AU-8 (1) SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE • AU-8 (1)
AU-8 (2) SECONDARY AUTHORITATIVE TIME SOURCE • AU-8 (2)
AU-09 PROTECTION OF AUDIT INFORMATION • AU-09
P1 LOW AU-9 (1) HARDWARE WRITE-ONCE MEDIA • AU-9 (1)
AU-9 (2) AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS • AU-9 (2)
AU-9 (3) CRYPTOGRAPHIC PROTECTION • AU-9 (3)
AU-9 (4) ACCESS BY SUBSET OF PRIVILEGED USERS • AU-9 (4)
AU-9 (5) DUAL AUTHORIZATION • AU-9 (5)
AU-9 (6) READ ONLY ACCESS • AU-9 (6)
AU-10 NON-REPUDIATION • AU-10
P2 HIGH AU-10 (1) ASSOCIATION OF IDENTITIES • AU-10 (1)
AU-10 (2) VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY • AU-10 (2)
AU-10 (3) CHAIN OF CUSTODY • AU-10 (3)
AU-10 (4) VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY • AU-10 (4)
AU-10 (5) DIGITAL SIGNATURES • AU-10 (5)
AU-11 AUDIT RECORD RETENTION • AU-11
P3 LOW AU-11 (1) LONG-TERM RETRIEVAL CAPABILITY • AU-11 (1)
AU-12 AUDIT GENERATION • AU-12
P1 LOW AU-12 (1) SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL • AU-12 (1)
AU-12 (2) STANDARDIZED FORMATS • AU-12 (2)
AU-12 (3) CHANGES BY AUTHORIZED INDIVIDUALS • AU-12 (3)
AU-13 MONITORING FOR INFORMATION DISCLOSURE • AU-13
P0 AU-13 (1) USE OF AUTOMATED TOOLS • AU-13 (1)
AU-13 (2) REVIEW OF MONITORED SITES • AU-13 (2)
AU-14 SESSION AUDIT • AU-14
P0 AU-14 (1) SYSTEM START-UP • AU-14 (1)
AU-14 (2) CAPTURE/RECORD AND LOG CONTENT • AU-14 (2)
AU-14 (3) REMOTE VIEWING / LISTENING • AU-14 (3)
AU-15 ALTERNATE AUDIT CAPABILITY AU-15
P0
AU-16 CROSS-ORGANIZATIONAL AUDITING AU-16
P0 AU-16 (1) IDENTITY PRESERVATION AU-16 (1)
AU-16 (2) SHARING OF AUDIT INFORMATION AU-16 (2)
AWARENESS AND TRAINING AWARENESS AND TRAINING
AT-01 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES • AT-01
P1 LOW •
AT-02 SECURITY AWARENESS TRAINING • AT-02

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
AT-02 P1 LOW AT-2 (1) PRACTICAL EXERCISES • AT-2 (1)
AT-2 (2) INSIDER THREAT • AT-2 (2)
AT-03 ROLE-BASED SECURITY TRAINING • AT-03
P1 LOW AT-3 (1) ENVIRONMENTAL CONTROLS • AT-3 (1)
AT-3 (2) PHYSICAL SECURITY CONTROLS • AT-3 (2)
AT-3 (3) PRACTICAL EXERCISES • AT-3 (3)
AT-3 (4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR • AT-3 (4)
AT-04 SECURITY TRAINING RECORDS • AT-04
P3 LOW •
AT-05 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS AT-05
CONFIGURATION MANAGEMENT CONFIGURATION MANAGEMENT
CM-01 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES CM-01
P1 LOW
CM-02 BASELINE CONFIGURATION • • • • • • CM-02
P1 LOW CM-2 (1) REVIEWS AND UPDATES • • • • • • CM-2 (1)
CM-2 (2) AUTOMATION SUPPORT FOR ACCURACY / CURRENCY • • • • • • CM-2 (2)
CM-2 (3) RETENTION OF PREVIOUS CONFIGURATIONS • • • • • • CM-2 (3)
CM-2 (4) UNAUTHORIZED SOFTWARE • • • • • • CM-2 (4)
CM-2 (5) AUTHORIZED SOFTWARE • • • • • • CM-2 (5)
CM-2 (6) DEVELOPMENT AND TEST ENVIRONMENTS • • • • • • CM-2 (6)
CM-2 (7) CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS • • • • • • CM-2 (7)
CM-03 CONFIGURATION CHANGE CONTROL • • CM-03
P1 MODERATE CM-3 (1) AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES • • CM-3 (1)
CM-3 (2) TEST / VALIDATE / DOCUMENT CHANGES • • CM-3 (2)
CM-3 (3) AUTOMATED CHANGE IMPLEMENTATION • • CM-3 (3)
CM-3 (4) SECURITY REPRESENTATIVE • • CM-3 (4)
CM-3 (5) AUTOMATED SECURITY RESPONSE • • CM-3 (5)
CM-3 (6) CRYPTOGRAPHY MANAGEMENT • • CM-3 (6)
CM-04 SECURITY IMPACT ANALYSIS CM-04
P2 LOW CM-4 (1) SEPARATE TEST ENVIRONMENTS CM-4 (1)
CM-4 (2) VERIFICATION OF SECURITY FUNCTIONS CM-4 (2)
CM-05 ACCESS RESTRICTIONS FOR CHANGE • • CM-05
P1 MODERATE CM-5 (1) AUTOMATED ACCESS ENFORCEMENT / AUDITING • • CM-5 (1)
CM-5 (2) REVIEW SYSTEM CHANGES • • CM-5 (2)
CM-5 (3) SIGNED COMPONENTS • • CM-5 (3)
CM-5 (4) DUAL AUTHORIZATION • • CM-5 (4)
CM-5 (5) LIMIT PRODUCTION / OPERATIONAL PRIVILEGES • • CM-5 (5)
CM-5 (6) LIMIT LIBRARY PRIVILEGES • • CM-5 (6)
CM-5 (7) AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS • • CM-5 (7)
CM-06 CONFIGURATION SETTINGS • • • CM-06

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
CM-06 P1 LOW CM-6 (1) AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION • • • CM-6 (1)
CM-6 (2) RESPOND TO UNAUTHORIZED CHANGES • • • CM-6 (2)
CM-6 (3) UNAUTHORIZED CHANGE DETECTION • • • CM-6 (3)
CM-6 (4) CONFORMANCE DEMONSTRATION • • • CM-6 (4)
CM-07 LEAST FUNCTIONALITY • CM-07
P1 LOW CM-7 (1) PERIODIC REVIEW • CM-7 (1)
CM-7 (2) PREVENT PROGRAM EXECUTION • CM-7 (2)
CM-7 (3) REGISTRATION COMPLIANCE • CM-7 (3)
CM-7 (4) UNAUTHORIZED SOFTWARE / BLACKLISTING • CM-7 (4)
CM-7 (5) AUTHORIZED SOFTWARE / WHITELISTING • CM-7 (5)
CM-08 INFORMATION SYSTEM COMPONENT INVENTORY • • • • • CM-08
P1 LOW CM-8 (1) UPDATES DURING INSTALLATIONS / REMOVALS • • • • • CM-8 (1)
CM-8 (2) AUTOMATED MAINTENANCE • • • • • CM-8 (2)
CM-8 (3) AUTOMATED UNAUTHORIZED COMPONENT DETECTION • • • • • CM-8 (3)
CM-8 (4) ACCOUNTABILITY INFORMATION • • • • • CM-8 (4)
CM-8 (5) NO DUPLICATE ACCOUNTING OF COMPONENTS • • • • • CM-8 (5)
CM-8 (6) ASSESSED CONFIGURATIONS / APPROVED DEVIATIONS • • • • • CM-8 (6)
CM-8 (7) CENTRALIZED REPOSITORY • • • • • CM-8 (7)
CM-8 (8) AUTOMATED LOCATION TRACKING • • • • • CM-8 (8)
CM-8 (9) ASSIGNMENT OF COMPONENTS TO SYSTEMS • • • • • CM-8 (9)
CM-09 CONFIGURATION MANAGEMENT PLAN • CM-09
P1 MODERATE CM-9 (1) ASSIGNMENT OF RESPONSIBILITY • CM-9 (1)
CM-10 SOFTWARE USAGE RESTRICTIONS • CM-10
P2 LOW CM-10 (1) OPEN SOURCE SOFTWARE • CM-10 (1)
CM-11 USER-INSTALLED SOFTWARE • • CM-11
P1 LOW CM-11 (1) ALERTS FOR UNAUTHORIZED INSTALLATIONS • • CM-11 (1)
CM-11 (2) PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS • • CM-11 (2)
CONTINGENCY PLANNING CONTINGENCY PLANNING
CP-01 CONTINGENCY PLANNING POLICY AND PROCEDURES CP-01
P1 LOW
CP-02 CONTINGENCY PLAN CP-02
P1 LOW CP-2 (1) COORDINATE WITH RELATED PLANS CP-2 (1)
CP-2 (2) CAPACITY PLANNING CP-2 (2)
CP-2 (3) RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS CP-2 (3)
CP-2 (4) RESUME ALL MISSIONS / BUSINESS FUNCTIONS CP-2 (4)
CP-2 (5) CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNCTIONS CP-2 (5)
CP-2 (6) ALTERNATE PROCESSING / STORAGE SITE CP-2 (6)
CP-2 (7) COORDINATE WITH EXTERNAL SERVICE PROVIDERS CP-2 (7)
CP-2 (8) IDENTIFY CRITICAL ASSETS CP-2 (8)
CP-03 CONTINGENCY TRAINING CP-03

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
CP-03 P2 LOW CP-3 (1) SIMULATED EVENTS CP-3 (1)
CP-3 (2) AUTOMATED TRAINING ENVIRONMENTS CP-3 (2)
CP-04 CONTINGENCY PLAN TESTING CP-04
P2 LOW CP-4 (1) COORDINATE WITH RELATED PLANS CP-4 (1)
CP-4 (2) ALTERNATE PROCESSING SITE CP-4 (2)
CP-4 (3) AUTOMATED TESTING CP-4 (3)
CP-4 (4) FULL RECOVERY / RECONSTITUTION CP-4 (4)
CP-05 CONTINGENCY PLAN UPDATE CP-05
CP-06 ALTERNATE STORAGE SITE CP-06
P1 MODERATE CP-6 (1) SEPARATION FROM PRIMARY SITE CP-6 (1)
CP-6 (2) RECOVERY TIME / POINT OBJECTIVES CP-6 (2)
CP-6 (3) ACCESSIBILITY CP-6 (3)
CP-07 ALTERNATE PROCESSING SITE CP-07
P1 MODERATE CP-7 (1) SEPARATION FROM PRIMARY SITE CP-7 (1)
CP-7 (2) ACCESSIBILITY CP-7 (2)
CP-7 (3) PRIORITY OF SERVICE CP-7 (3)
CP-7 (4) PREPARATION FOR USE CP-7 (4)
CP-7 (5) EQUIVALENT INFORMATION SECURITY SAFEGUARDS CP-7 (5)
CP-7 (6) INABILITY TO RETURN TO PRIMARY SITE CP-7 (6)
CP-08 TELECOMMUNICATIONS SERVICES CP-08
P1 MODERATE CP-8 (1) PRIORITY OF SERVICE PROVISIONS CP-8 (1)
CP-8 (2) SINGLE POINTS OF FAILURE CP-8 (2)
CP-8 (3) SEPARATION OF PRIMARY / ALTERNATE PROVIDERS CP-8 (3)
CP-8 (4) PROVIDER CONTINGENCY PLAN CP-8 (4)
CP-8 (5) ALTERNATE TELECOMMUNICATION SERVICE TESTING CP-8 (5)
CP-09 INFORMATION SYSTEM BACKUP • CP-09
P1 LOW CP-9 (1) TESTING FOR RELIABILITY / INTEGRITY • CP-9 (1)
CP-9 (2) TEST RESTORATION USING SAMPLING • CP-9 (2)
CP-9 (3) SEPARATE STORAGE FOR CRITICAL INFORMATION • CP-9 (3)
CP-9 (4) PROTECTION FROM UNAUTHORIZED MODIFICATION • CP-9 (4)
CP-9 (5) TRANSFER TO ALTERNATE STORAGE SITE • CP-9 (5)
CP-9 (6) REDUNDANT SECONDARY SYSTEM • CP-9 (6)
CP-9 (7) DUAL AUTHORIZATION • CP-9 (7)
CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION • CP-10
P1 LOW CP-10 (1) CONTINGENCY PLAN TESTING • CP-10 (1)
CP-10 (2) TRANSACTION RECOVERY • CP-10 (2)
CP-10 (3) COMPENSATING SECURITY CONTROLS • CP-10 (3)
CP-10 (4) RESTORE WITHIN TIME PERIOD • CP-10 (4)
CP-10 (5) FAILOVER CAPABILITY • CP-10 (5)
CP-10 (6) COMPONENT PROTECTION • CP-10 (6)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS CP-11
P0
CP-12 SAFE MODE CP-12
P0
CP-13 ALTERNATIVE SECURITY MECHANISMS CP-13
P0
IDENTIFICATION AND AUTHENTICATION IDENTIFICATION AND AUTHENTICATION
IA-01 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IA-01
P1 LOW
IA-02 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) • IA-02
P1 LOW IA-2 (1) NETWORK ACCESS TO PRIVILEGED ACCOUNTS • IA-2 (1)
IA-2 (2) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS • IA-2 (2)
IA-2 (3) LOCAL ACCESS TO PRIVILEGED ACCOUNTS • IA-2 (3)
IA-2 (4) LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS • IA-2 (4)
IA-2 (5) GROUP AUTHENTICATION • IA-2 (5)
IA-2 (6) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - SEPARATE DEVICE • IA-2 (6)
IA-2 (7) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - SEPARATE DEVICE • IA-2 (7)
IA-2 (8) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT • IA-2 (8)
IA-2 (9) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT • IA-2 (9)
IA-2 (10) SINGLE SIGN-ON • IA-2 (10)
IA-2 (11) REMOTE ACCESS - SEPARATE DEVICE • IA-2 (11)
IA-2 (12) ACCEPTANCE OF PIV CREDENTIALS • IA-2 (12)
IA-2 (13) OUT-OF-BAND AUTHENTICATION • IA-2 (13)
IA-03 DEVICE IDENTIFICATION AND AUTHENTICATION • • IA-03
P1 MODERATE IA-3 (1) CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION • • IA-3 (1)
IA-3 (2) CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATION • • IA-3 (2)
IA-3 (3) DYNAMIC ADDRESS ALLOCATION • • IA-3 (3)
IA-3 (4) DEVICE ATTESTATION • • IA-3 (4)
IA-04 IDENTIFIER MANAGEMENT • IA-04
P1 LOW IA-4 (1) PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS • IA-4 (1)
IA-4 (2) SUPERVISOR AUTHORIZATION • IA-4 (2)
IA-4 (3) MULTIPLE FORMS OF CERTIFICATION • IA-4 (3)
IA-4 (4) IDENTIFY USER STATUS • IA-4 (4)
IA-4 (5) DYNAMIC MANAGEMENT • IA-4 (5)
IA-4 (6) CROSS-ORGANIZATION MANAGEMENT • IA-4 (6)
IA-4 (7) IN-PERSON REGISTRATION • IA-4 (7)
IA-05 AUTHENTICATOR MANAGEMENT • • IA-05
P1 LOW IA-5 (1) PASSWORD-BASED AUTHENTICATION • • IA-5 (1)
IA-5 (2) PKI-BASED AUTHENTICATION • • IA-5 (2)
IA-5 (3) IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION • • IA-5 (3)
IA-5 (4) AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION • • IA-5 (4)
IA-5 (5) CHANGE AUTHENTICATORS PRIOR TO DELIVERY • • IA-5 (5)
IA-5 (6) PROTECTION OF AUTHENTICATORS • • IA-5 (6)
IA-5 (7) NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS • • IA-5 (7)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
P1 LOW IA-5 (8) MULTIPLE INFORMATION SYSTEM ACCOUNTS • • IA-5 (8)
IA-5 (9) CROSS-ORGANIZATION CREDENTIAL MANAGEMENT • • IA-5 (9)
IA-5 (10) DYNAMIC CREDENTIAL ASSOCIATION • • IA-5 (10)
IA-5 (11) HARDWARE TOKEN-BASED AUTHENTICATION • • IA-5 (11)
IA-5 (12) BIOMETRIC AUTHENTICATION • • IA-5 (12)
IA-5 (13) EXPIRATION OF CACHED AUTHENTICATORS • • IA-5 (13)
IA-5 (14) MANAGING CONTENT OF PKI TRUST STORES • • IA-5 (14)
IA-5 (15) FICAM-APPROVED PRODUCTS AND SERVICES • • IA-5 (15)
IA-06 AUTHENTICATOR FEEDBACK IA-06
P2 LOW
IA-07 CRYPTOGRAPHIC MODULE AUTHENTICATION IA-07
P1 LOW
IA-08 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) IA-08
P1 LOW IA-8 (1) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES IA-8 (1)
IA-8 (2) ACCEPTANCE OF THIRD-PARTY CREDENTIALS IA-8 (2)
IA-8 (3) USE OF FICAM-APPROVED PRODUCTS IA-8 (3)
IA-8 (4) USE OF FICAM-ISSUED PROFILES IA-8 (4)
IA-8 (5) ACCEPTANCE OF PIV-I CREDENTIALS IA-8 (5)
IA-09 SERVICE IDENTIFICATION AND AUTHENTICATION IA-09
P0 IA-9 (1) INFORMATION EXCHANGE IA-9 (1)
IA-9 (2) TRANSMISSION OF DECISIONS IA-9 (2)
IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION • • IA-10
P0 • •
IA-11 RE-AUTHENTICATION IA-11
P0
INCIDENT RESPONSE INCIDENT RESPONSE
IR-01 INCIDENT RESPONSE POLICY AND PROCEDURES • IR-01
P1 LOW •
IR-02 INCIDENT RESPONSE TRAINING • IR-02
P2 LOW IR-2 (1) SIMULATED EVENTS • IR-2 (1)
IR-2 (2) AUTOMATED TRAINING ENVIRONMENTS • IR-2 (2)
IR-03 INCIDENT RESPONSE TESTING • IR-03
P2 MODERATE IR-3 (1) AUTOMATED TESTING • IR-3 (1)
IR-3 (2) COORDINATION WITH RELATED PLANS • IR-3 (2)
IR-04 INCIDENT HANDLING • IR-04
P1 LOW IR-4 (1) AUTOMATED INCIDENT HANDLING PROCESSES • IR-4 (1)
IR-4 (2) DYNAMIC RECONFIGURATION • IR-4 (2)
IR-4 (3) CONTINUITY OF OPERATIONS • IR-4 (3)
IR-4 (4) INFORMATION CORRELATION • IR-4 (4)
IR-4 (5) AUTOMATIC DISABLING OF INFORMATION SYSTEM • IR-4 (5)
IR-4 (6) INSIDER THREATS - SPECIFIC CAPABILITIES • IR-4 (6)
IR-4 (7) INSIDER THREATS - INTRA-ORGANIZATION COORDINATION • IR-4 (7)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
IR-04 P1 LOW IR-4 (8) CORRELATION WITH EXTERNAL ORGANIZATIONS • IR-4 (8)
IR-4 (9) DYNAMIC RESPONSE CAPABILITY • IR-4 (9)
IR-4 (10) SUPPLY CHAIN COORDINATION • IR-4 (10)
IR-05 INCIDENT MONITORING • IR-05
P1 LOW IR-5 (1) AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS IR-5 (1)
IR-06 INCIDENT REPORTING • IR-06
P1 LOW IR-6 (1) AUTOMATED REPORTING • IR-6 (1)
IR-6 (2) VULNERABILITIES RELATED TO INCIDENTS • IR-6 (2)
IR-6 (3) COORDINATION WITH SUPPLY CHAIN • IR-6 (3)
IR-07 INCIDENT RESPONSE ASSISTANCE • IR-07
P2 LOW IR-7 (1) AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT • IR-7 (1)
IR-7 (2) COORDINATION WITH EXTERNAL PROVIDERS • IR-7 (2)
IR-08 INCIDENT RESPONSE PLAN • IR-08
P1 LOW •
IR-09 INFORMATION SPILLAGE RESPONSE • IR-09
P0 IR-9 (1) RESPONSIBLE PERSONNEL • IR-9 (1)
IR-9 (2) TRAINING • IR-9 (2)
IR-9 (3) POST-SPILL OPERATIONS • IR-9 (3)
IR-9 (4) EXPOSURE TO UNAUTHORIZED PERSONNEL • IR-9 (4)
IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM • IR-10
P0 •
MAINTENANCE MAINTENANCE
MA-01 SYSTEM MAINTENANCE POLICY AND PROCEDURES MA-01
P1 LOW
MA-02 CONTROLLED MAINTENANCE MA-02
P2 LOW MA-2 (1) RECORD CONTENT MA-2 (1)
MA-2 (2) AUTOMATED MAINTENANCE ACTIVITIES MA-2 (2)
MA-03 MAINTENANCE TOOLS MA-03
P3 MODERATE MA-3 (1) INSPECT TOOLS MA-3 (1)
MA-3 (2) INSPECT MEDIA MA-3 (2)
MA-3 (3) PREVENT UNAUTHORIZED REMOVAL MA-3 (3)
MA-3 (4) RESTRICTED TOOL USE MA-3 (4)
MA-04 NONLOCAL MAINTENANCE • • MA-04
P2 LOW MA-4 (1) AUDITING AND REVIEW • • MA-4 (1)
MA-4 (2) DOCUMENT NONLOCAL MAINTENANCE • • MA-4 (2)
MA-4 (3) COMPARABLE SECURITY / SANITIZATION • • MA-4 (3)
MA-4 (4) AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS • • MA-4 (4)
MA-4 (5) APPROVALS AND NOTIFICATIONS • • MA-4 (5)
MA-4 (6) CRYPTOGRAPHIC PROTECTION • • MA-4 (6)
MA-4 (7) REMOTE DISCONNECT VERIFICATION • • MA-4 (7)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
MA-04 P2 LOW
MA-05 MAINTENANCE PERSONNEL MA-05
P2 LOW MA-5 (1) INDIVIDUALS WITHOUT APPROPRIATE ACCESS MA-5 (1)
MA-5 (2) SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS MA-5 (2)
MA-5 (3) CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS MA-5 (3)
MA-5 (4) FOREIGN NATIONALS MA-5 (4)
MA-5 (5) NONSYSTEM-RELATED MAINTENANCE MA-5 (5)
MA-06 TIMELY MAINTENANCE MA-06
P2 MODERATE MA-6 (1) PREVENTIVE MAINTENANCE MA-6 (1)
MA-6 (2) PREDICTIVE MAINTENANCE MA-6 (2)
MA-6 (3) AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE MA-6 (3)
MEDIA PROTECTION MEDIA PROTECTION
MP-01 MEDIA PROTECTION POLICY AND PROCEDURES MP-01
P1 LOW
MP-02 MEDIA ACCESS MP-02
P1 LOW MP-2 (1) AUTOMATED RESTRICTED ACCESS MP-2 (1)
MP-2 (2) CRYPTOGRAPHIC PROTECTION MP-2 (2)
MP-03 MEDIA MARKING • MP-03
P2 MODERATE •
MP-04 MEDIA STORAGE • MP-04
P1 MODERATE MP-4 (1) CRYPTOGRAPHIC PROTECTION • MP-4 (1)
MP-4 (2) AUTOMATED RESTRICTED ACCESS • MP-4 (2)
MP-05 MEDIA TRANSPORT • MP-05
P1 MODERATE MP-5 (1) PROTECTION OUTSIDE OF CONTROLLED AREAS • MP-5 (1)
MP-5 (2) DOCUMENTATION OF ACTIVITIES • MP-5 (2)
MP-5 (3) CUSTODIANS • MP-5 (3)
MP-5 (4) CRYPTOGRAPHIC PROTECTION • MP-5 (4)
MP-06 MEDIA SANITIZATION MP-06
P1 LOW MP-6 (1) REVIEW / APPROVE / TRACK / DOCUMENT / VERIFY MP-6 (1)
MP-6 (2) EQUIPMENT TESTING MP-6 (2)
MP-6 (3) NONDESTRUCTIVE TECHNIQUES MP-6 (3)
MP-6 (4) CONTROLLED UNCLASSIFIED INFORMATION MP-6 (4)
MP-6 (5) CLASSIFIED INFORMATION MP-6 (5)
MP-6 (6) MEDIA DESTRUCTION MP-6 (6)
MP-6 (7) DUAL AUTHORIZATION MP-6 (7)
MP-6 (8) REMOTE PURGING / WIPING OF INFORMATION MP-6 (8)
MP-07 MEDIA USE MP-07
P1 LOW MP-7 (1) PROHIBIT USE WITHOUT OWNER MP-7 (1)
MP-7 (2) PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA MP-7 (2)
MP-08 MEDIA DOWNGRADING MP-08

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
MP-08 P0 MP-8 (1) DOCUMENTATION OF PROCESS MP-8 (1)
MP-8 (2) EQUIPMENT TESTING MP-8 (2)
MP-8 (3) CONTROLLED UNCLASSIFIED INFORMATION MP-8 (3)
MP-8 (4) CLASSIFIED INFORMATION MP-8 (4)
PERSONNEL SECURITY PERSONNEL SECURITY
PS-01 PERSONNEL SECURITY POLICY AND PROCEDURES PS-01
P1 LOW
PS-02 POSITION RISK DESIGNATION PS-02
P1 LOW
PS-03 PERSONNEL SCREENING PS-03
P1 LOW PS-3 (1) CLASSIFIED INFORMATION PS-3 (1)
PS-3 (2) FORMAL INDOCTRINATION PS-3 (2)
PS-3 (3) INFORMATION WITH SPECIAL PROTECTION MEASURES PS-3 (3)
PS-04 PERSONNEL TERMINATION PS-04
P1 LOW PS-4 (1) POST-EMPLOYMENT REQUIREMENTS PS-4 (1)
PS-4 (2) AUTOMATED NOTIFICATION PS-4 (2)
PS-05 PERSONNEL TRANSFER PS-05
P2 LOW
PS-06 ACCESS AGREEMENTS PS-06
P3 LOW PS-6 (1) INFORMATION REQUIRING SPECIAL PROTECTION PS-6 (1)
PS-6 (2) CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION PS-6 (2)
PS-6 (3) POST-EMPLOYMENT REQUIREMENTS PS-6 (3)
PS-07 THIRD-PARTY PERSONNEL SECURITY PS-07
P1 LOW
PS-08 PERSONNEL SANCTIONS PS-08
P3 LOW
PHYSICAL AND ENVIRONMENTAL PROTECTION PHYSICAL AND ENVIRONMENTAL PROTECTION
PE-01 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES PE-01
P1 LOW
PE-02 PHYSICAL ACCESS AUTHORIZATIONS PE-02
P1 LOW PE-2 (1) ACCESS BY POSITION / ROLE PE-2 (1)
PE-2 (2) TWO FORMS OF IDENTIFICATION PE-2 (2)
PE-2 (3) RESTRICT UNESCORTED ACCESS PE-2 (3)
PE-03 PHYSICAL ACCESS CONTROL PE-03
P1 LOW PE-3 (1) INFORMATION SYSTEM ACCESS PE-3 (1)
PE-3 (2) FACILITY / INFORMATION SYSTEM BOUNDARIES PE-3 (2)
PE-3 (3) CONTINUOUS GUARDS / ALARMS / MONITORING PE-3 (3)
PE-3 (4) LOCKABLE CASINGS PE-3 (4)
PE-3 (5) TAMPER PROTECTION PE-3 (5)
PE-3 (6) FACILITY PENETRATION TESTING PE-3 (6)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
PE-04 ACCESS CONTROL FOR TRANSMISSION MEDIUM PE-04
P1 MODERATE
PE-05 ACCESS CONTROL FOR OUTPUT DEVICES PE-05
P2 MODERATE PE-5 (1) ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS PE-5 (1)
PE-5 (2) ACCESS TO OUTPUT BY INDIVIDUAL IDENTITY PE-5 (2)
PE-5 (3) MARKING OUTPUT DEVICES PE-5 (3)
PE-06 MONITORING PHYSICAL ACCESS PE-06
P1 LOW PE-6 (1) INTRUSION ALARMS / SURVEILLANCE EQUIPMENT PE-6 (1)
PE-6 (2) AUTOMATED INTRUSION RECOGNITION / RESPONSES PE-6 (2)
PE-6 (3) VIDEO SURVEILLANCE PE-6 (3)
PE-6 (4) MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS PE-6 (4)
PE-07 VISITOR CONTROL PE-07
PE-08 VISITOR ACCESS RECORDS PE-08
P3 LOW PE-8 (1) AUTOMATED RECORDS MAINTENANCE / REVIEW PE-8 (1)
PE-8 (2) PHYSICAL ACCESS RECORDS PE-8 (2)
PE-09 POWER EQUIPMENT AND CABLING PE-09
P1 MODERATE PE-9 (1) REDUNDANT CABLING PE-9 (1)
PE-9 (2) AUTOMATIC VOLTAGE CONTROLS PE-9 (2)
PE-10 EMERGENCY SHUTOFF PE-10
P1 MODERATE PE-10 (1) ACCIDENTAL / UNAUTHORIZED ACTIVATION PE-10 (1)
PE-11 EMERGENCY POWER PE-11
P1 MODERATE PE-11 (1) LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY PE-11 (1)
PE-11 (2) LONG-TERM ALTERNATE POWER SUPPLY - SELF-CONTAINED PE-11 (2)
PE-12 EMERGENCY LIGHTING PE-12
P1 LOW PE-12 (1) ESSENTIAL MISSIONS / BUSINESS FUNCTIONS PE-12 (1)
PE-13 FIRE PROTECTION PE-13
P1 LOW PE-13 (1) DETECTION DEVICES / SYSTEMS PE-13 (1)
PE-13 (2) SUPPRESSION DEVICES / SYSTEMS PE-13 (2)
PE-13 (3) AUTOMATIC FIRE SUPPRESSION PE-13 (3)
PE-13 (4) INSPECTIONS PE-13 (4)
PE-14 TEMPERATURE AND HUMIDITY CONTROLS PE-14
P1 LOW PE-14 (1) AUTOMATIC CONTROLS PE-14 (1)
PE-14 (2) MONITORING WITH ALARMS / NOTIFICATIONS PE-14 (2)
PE-15 WATER DAMAGE PROTECTION PE-15
P1 LOW PE-15 (1) AUTOMATION SUPPORT PE-15 (1)
PE-16 DELIVERY AND REMOVAL PE-16
P2 LOW

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
PE-17 ALTERNATE WORK SITE PE-17
P2 MODERATE
PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS PE-18
P3 HIGH PE-18 (1) FACILITY SITE PE-18 (1)
PE-19 INFORMATION LEAKAGE PE-19
P0 PE-19 (1) NATIONAL EMISSIONS / TEMPEST POLICIES AND PROCEDURES PE-19 (1)
PE-20 ASSET MONITORING AND TRACKING PE-20
P0
PLANNING PLANNING
PL-01 SECURITY PLANNING POLICY AND PROCEDURES PL-01
P1 LOW
PL-02 SYSTEM SECURITY PLAN PL-02
P1 LOW PL-2 (1) CONCEPT OF OPERATIONS PL-2 (1)
PL-2 (2) FUNCTIONAL ARCHITECTURE PL-2 (2)
PL-2 (3) PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES PL-2 (3)
PL-03 SYSTEM SECURITY PLAN UPDATE PL-03
PL-04 RULES OF BEHAVIOR PL-04
P2 LOW PL-4 (1) SOCIAL MEDIA AND NETWORKING RESTRICTIONS PL-4 (1)
PL-05 PRIVACY IMPACT ASSESSMENT PL-05
PL-06 SECURITY-RELATED ACTIVITY PLANNING PL-06
PL-07 SECURITY CONCEPT OF OPERATIONS PL-07
P0
PL-08 INFORMATION SECURITY ARCHITECTURE PL-08
P1 MODERATE PL-8 (1) DEFENSE-IN-DEPTH PL-8 (1)
PL-8 (2) SUPPLIER DIVERSITY PL-8 (2)
PL-09 CENTRAL MANAGEMENT PL-09
P0
Program Management Program Management
PM-01 INFORMATION SECURITY PROGRAM PLAN PM-01
PM-02 SENIOR INFORMATION SECURITY OFFICER PM-02
PM-03 INFORMATION SECURITY RESOURCES PM-03
PM-04 PLAN OF ACTION AND MILESTONES PROCESS PM-04
PM-05 INFORMATION SYSTEM INVENTORY • • PM-05

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
PM-06 INFORMATION SECURITY MEASURES OF PERFORMANCE • PM-06
PM-07 ENTERPRISE ARCHITECTURE PM-07
PM-08 CRITICAL INFRASTRUCTURE PLAN PM-08
PM-09 RISK MANAGEMENT STRATEGY PM-09
PM-10 SECURITY AUTHORIZATION PROCESS PM-10
PM-11 MISSION/BUSINESS PROCESS DEFINITION PM-11
PM-12 INSIDER THREAT PROGRAM PM-12
PM-13 INFORMATION SECURITY WORKFORCE • PM-13
PM-14 TESTING, TRAINING, AND MONITORING • • PM-14
PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS PM-15
PM-16 THREAT AWARENESS PROGRAM • • PM-16
RISK ASSESSMENT RISK ASSESSMENT
RA-01 RISK ASSESSMENT POLICY AND PROCEDURES RA-01
P1 LOW
RA-02 SECURITY CATEGORIZATION • RA-02
P1 LOW •
RA-03 RISK ASSESSMENT RA-03
P1 LOW
RA-04 RISK ASSESSMENT UPDATE RA-04
RA-05 VULNERABILITY SCANNING • • • RA-05
P1 LOW RA-5 (1) UPDATE TOOL CAPABILITY • • • RA-5 (1)
RA-5 (2) UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED • • • RA-5 (2)
RA-5 (3) BREADTH / DEPTH OF COVERAGE • • • RA-5 (3)
RA-5 (4) DISCOVERABLE INFORMATION • • • RA-5 (4)
RA-5 (5) PRIVILEGED ACCESS • • • RA-5 (5)
RA-5 (6) AUTOMATED TREND ANALYSES • • • RA-5 (6)
RA-5 (7) AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS • • • RA-5 (7)
RA-5 (8) REVIEW HISTORIC AUDIT LOGS • • • RA-5 (8)
RA-5 (9) PENETRATION TESTING AND ANALYSES • • • RA-5 (9)
RA-5 (10) CORRELATE SCANNING INFORMATION • • • RA-5 (10)
RA-06 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY • RA-06
P0 •
SECURITY ASSESSMENT AND AUTHORIZATION SECURITY ASSESSMENT AND AUTHORIZATION

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
CA-01 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES CA-01
P1 LOW
CA-02 SECURITY ASSESSMENTS • • CA-02
P2 LOW CA-2 (1) INDEPENDENT ASSESSORS • • CA-2 (1)
CA-2 (2) SPECIALIZED ASSESSMENTS • • CA-2 (2)
CA-2 (3) EXTERNAL ORGANIZATIONS • • CA-2 (3)
CA-03 SYSTEM INTERCONNECTIONS • • • • CA-03
P1 LOW CA-3 (1) UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS • • • • CA-3 (1)
CA-3 (2) CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS • • • • CA-3 (2)
CA-3 (3) UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS • • • • CA-3 (3)
CA-3 (4) CONNECTIONS TO PUBLIC NETWORKS • • • • CA-3 (4)
CA-3 (5) RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS • • • • CA-3 (5)
CA-04 SECURITY CERTIFICATION CA-04
CA-05 PLAN OF ACTION AND MILESTONES • CA-05
P3 LOW CA-5 (1) AUTOMATION SUPPORT FOR ACCURACY / CURRENCY • CA-5 (1)
CA-06 SECURITY AUTHORIZATION • CA-06
P2 LOW •
CA-07 CONTINUOUS MONITORING • • • • • • • • • • • • • • CA-07
P2 LOW CA-7 (1) INDEPENDENT ASSESSMENT • • • • • • • • • • • • • • CA-7 (1)
CA-7 (2) TYPES OF ASSESSMENTS • • • • • • • • • • • • • • CA-7 (2)
CA-7 (3) TREND ANALYSES • • • • • • • • • • • • • • CA-7 (3)
CA-08 PENETRATION TESTING • CA-08
P2 HIGH CA-8 (1) INDEPENDENT PENETRATION AGENT OR TEAM • CA-8 (1)
CA-8 (2) RED TEAM EXERCISES • CA-8 (2)
CA-09 INTERNAL SYSTEM CONNECTIONS • • • • • CA-09
P2 LOW CA-9 (1) SECURITY COMPLIANCE CHECKS • • • • • CA-9 (1)
SYSTEM AND COMMUNICATIONS PROTECTION SYSTEM AND COMMUNICATIONS PROTECTION
SC-01 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES SC-01
P1 LOW
SC-02 APPLICATION PARTITIONING SC-02
P1 MODERATE SC-2 (1) INTERFACES FOR NON-PRIVILEGED USERS SC-2 (1)
SC-03 SECURITY FUNCTION ISOLATION SC-03
P1 HIGH SC-3 (1) HARDWARE SEPARATION SC-3 (1)
SC-3 (2) ACCESS / FLOW CONTROL FUNCTIONS SC-3 (2)
SC-3 (3) MINIMIZE NONSECURITY FUNCTIONALITY SC-3 (3)
SC-3 (4) MODULE COUPLING AND COHESIVENESS SC-3 (4)
SC-3 (5) LAYERED STRUCTURES SC-3 (5)
SC-04 INFORMATION IN SHARED RESOURCES SC-04

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
SC-04 P1 MODERATE SC-4 (1) SECURITY LEVELS SC-4 (1)
SC-4 (2) PERIODS PROCESSING SC-4 (2)
SC-05 DENIAL OF SERVICE PROTECTION SC-05
P1 LOW SC-5 (1) RESTRICT INTERNAL USERS SC-5 (1)
SC-5 (2) EXCESS CAPACITY / BANDWIDTH / REDUNDANCY SC-5 (2)
SC-5 (3) DETECTION / MONITORING SC-5 (3)
SC-06 RESOURCE AVAILABILITY SC-06
P0
SC-07 BOUNDARY PROTECTION • SC-07
P1 LOW SC-7 (1) PHYSICALLY SEPARATED SUBNETWORKS • SC-7 (1)
SC-7 (2) PUBLIC ACCESS • SC-7 (2)
SC-7 (3) ACCESS POINTS • SC-7 (3)
SC-7 (4) EXTERNAL TELECOMMUNICATIONS SERVICES • SC-7 (4)
SC-7 (5) DENY BY DEFAULT / ALLOW BY EXCEPTION • SC-7 (5)
SC-7 (6) RESPONSE TO RECOGNIZED FAILURES • SC-7 (6)
SC-7 (7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES • SC-7 (7)
SC-7 (8) ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS • SC-7 (8)
SC-7 (9) RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC • SC-7 (9)
SC-7 (10) PREVENT UNAUTHORIZED EXFILTRATION • SC-7 (10)
SC-7 (11) RESTRICT INCOMING COMMUNICATIONS TRAFFIC • SC-7 (11)
SC-7 (12) HOST-BASED PROTECTION • SC-7 (12)
SC-7 (13) ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS • SC-7 (13)
SC-7 (14) PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS • SC-7 (14)
SC-7 (15) ROUTE PRIVILEGED NETWORK ACCESSES • SC-7 (15)
SC-7 (16) PREVENT DISCOVERY OF COMPONENTS / DEVICES • SC-7 (16)
SC-7 (17) AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS • SC-7 (17)
SC-7 (18) FAIL SECURE • SC-7 (18)
SC-7 (19) BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS • SC-7 (19)
SC-7 (20) DYNAMIC ISOLATION / SEGREGATION • SC-7 (20)
SC-7 (21) ISOLATION OF INFORMATION SYSTEM COMPONENTS • SC-7 (21)
SC-7 (22) SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS • SC-7 (22)
SC-7 (23) DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE • SC-7 (23)
SC-08 TRANSMISSION CONFIDENTIALITY AND INTEGRITY • • • SC-08
P1 MODERATE SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION • • • SC-8 (1)
SC-8 (2) PRE / POST TRANSMISSION HANDLING • • • SC-8 (2)
SC-8 (3) CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS • • • SC-8 (3)
SC-8 (4) CONCEAL / RANDOMIZE COMMUNICATIONS • • • SC-8 (4)
SC-09 TRANSMISSION CONFIDENTIALITY SC-09
SC-10 NETWORK DISCONNECT SC-10
P2 MODERATE
SC-11 TRUSTED PATH SC-11
P0 SC-11 (1) LOGICAL ISOLATION SC-11 (1)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT SC-12
P1 LOW SC-12 (1) AVAILABILITY SC-12 (1)
SC-12 (2) SYMMETRIC KEYS SC-12 (2)
SC-12 (3) ASYMMETRIC KEYS SC-12 (3)
SC-12 (4) PKI CERTIFICATES SC-12 (4)
SC-12 (5) PKI CERTIFICATES / HARDWARE TOKENS SC-12 (5)
SC-13 CRYPTOGRAPHIC PROTECTION SC-13
P1 LOW SC-13 (1) FIPS-VALIDATED CRYPTOGRAPHY SC-13 (1)
SC-13 (2) NSA-APPROVED CRYPTOGRAPHY SC-13 (2)
SC-13 (3) INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS SC-13 (3)
SC-13 (4) DIGITAL SIGNATURES SC-13 (4)
SC-14 PUBLIC ACCESS PROTECTIONS SC-14
SC-15 COLLABORATIVE COMPUTING DEVICES • SC-15
P1 LOW SC-15 (1) PHYSICAL DISCONNECT • SC-15 (1)
SC-15 (2) BLOCKING INBOUND / OUTBOUND COMMUNICATIONS TRAFFIC • SC-15 (2)
SC-15 (3) DISABLING / REMOVAL IN SECURE WORK AREAS • SC-15 (3)
SC-15 (4) EXPLICITLY INDICATE CURRENT PARTICIPANTS • SC-15 (4)
SC-16 TRANSMISSION OF SECURITY ATTRIBUTES • SC-16
P0 SC-16 (1) INTEGRITY VALIDATION • SC-16 (1)
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES • • SC-17
P1 MODERATE • •
SC-18 MOBILE CODE • SC-18
P2 MODERATE SC-18 (1) IDENTIFY UNACCEPTABLE CODE / TAKE CORRECTIVE ACTIONS • SC-18 (1)
SC-18 (2) ACQUISITION / DEVELOPMENT / USE • SC-18 (2)
SC-18 (3) PREVENT DOWNLOADING / EXECUTION • SC-18 (3)
SC-18 (4) PREVENT AUTOMATIC EXECUTION • SC-18 (4)
SC-18 (5) ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS • SC-18 (5)
SC-19 VOICE OVER INTERNET PROTOCOL SC-19
P1 MODERATE
SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) • • SC-20
P1 LOW SC-20 (1) CHILD SUBSPACES • • SC-20 (1)
SC-20 (2) DATA ORIGIN / INTEGRITY • • SC-20 (2)
SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) • • SC-21
P1 LOW SC-21 (1) DATA ORIGIN / INTEGRITY • • SC-21 (1)
SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE • • SC-22
P1 LOW • •
SC-23 SESSION AUTHENTICITY • SC-23
P1 MODERATE SC-23 (1) INVALIDATE SESSION IDENTIFIERS AT LOGOUT • SC-23 (1)
SC-23 (2) USER-INITIATED LOGOUTS / MESSAGE DISPLAYS • SC-23 (2)
SC-23 (3) UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION • SC-23 (3)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
SC-23 P1 MODERATE SC-23 (4) UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION • SC-23 (4)
SC-23 (5) ALLOWED CERTIFICATE AUTHORITIES • SC-23 (5)
SC-24 FAIL IN KNOWN STATE • SC-24
P1 HIGH •
SC-25 THIN NODES SC-25
P0
SC-26 HONEYPOTS SC-26
P0 SC-26 (1) DETECTION OF MALICIOUS CODE SC-26 (1)
SC-27 PLATFORM-INDEPENDENT APPLICATIONS SC-27
P0
SC-28 PROTECTION OF INFORMATION AT REST • SC-28
P1 MODERATE SC-28 (1) CRYPTOGRAPHIC PROTECTION • SC-28 (1)
SC-28 (2) OFF-LINE STORAGE • SC-28 (2)
SC-29 HETEROGENEITY SC-29
P0 SC-29 (1) VIRTUALIZATION TECHNIQUES SC-29 (1)
SC-30 CONCEALMENT AND MISDIRECTION SC-30
P0 SC-30 (1) VIRTUALIZATION TECHNIQUES SC-30 (1)
SC-30 (2) RANDOMNESS SC-30 (2)
SC-30 (3) CHANGE PROCESSING / STORAGE LOCATIONS SC-30 (3)
SC-30 (4) MISLEADING INFORMATION SC-30 (4)
SC-30 (5) CONCEALMENT OF SYSTEM COMPONENTS SC-30 (5)
SC-31 COVERT CHANNEL ANALYSIS • SC-31
P0 SC-31 (1) TEST COVERT CHANNELS FOR EXPLOITABILITY • SC-31 (1)
SC-31 (2) MAXIMUM BANDWIDTH • SC-31 (2)
SC-31 (3) MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS • SC-31 (3)
SC-32 INFORMATION SYSTEM PARTITIONING • SC-32
P0 •
SC-33 TRANSMISSION PREPARATION INTEGRITY SC-33
SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS • • • SC-34
P0 SC-34 (1) NO WRITABLE STORAGE • • • SC-34 (1)
SC-34 (2) INTEGRITY PROTECTION / READ-ONLY MEDIA • • • SC-34 (2)
SC-34 (3) HARDWARE-BASED PROTECTION • • • SC-34 (3)
SC-35 HONEYCLIENTS SC-35
P0
SC-36 DISTRIBUTED PROCESSING AND STORAGE SC-36
P0 SC-36 (1) POLLING TECHNIQUES SC-36 (1)
SC-37 OUT-OF-BAND CHANNELS • SC-37
P0 SC-37 (1) ENSURE DELIVERY / TRANSMISSION • SC-37 (1)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
SC-38 OPERATIONS SECURITY SC-38
P0
SC-39 PROCESS ISOLATION • • SC-39
P1 LOW SC-39 (1) HARDWARE SEPARATION • • SC-39 (1)
SC-39 (2) THREAD ISOLATION • • SC-39 (2)
SC-40 WIRELESS LINK PROTECTION • SC-40
P0 SC-40 (1) ELECTROMAGNETIC INTERFERENCE • SC-40 (1)
SC-40 (2) REDUCE DETECTION POTENTIAL • SC-40 (2)
SC-40 (3) IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION • SC-40 (3)
SC-40 (4) SIGNAL PARAMETER IDENTIFICATION • SC-40 (4)
SC-41 PORT AND I/O DEVICE ACCESS • • SC-41
P0 • •
SC-42 SENSOR CAPABILITY AND DATA SC-42
P0 SC-42 (1) REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES SC-42 (1)
SC-42 (2) AUTHORIZED USE SC-42 (2)
SC-42 (3) PROHIBIT USE OF DEVICES SC-42 (3)
SC-43 USAGE RESTRICTIONS SC-43
P0
SC-44 DETONATION CHAMBERS • SC-44
P0 •
SYSTEM AND INFORMATION INTEGRITY SYSTEM AND INFORMATION INTEGRITY
SI-01 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES SI-01
P1 LOW
SI-02 FLAW REMEDIATION • SI-02
P1 LOW SI-2 (1) CENTRAL MANAGEMENT • SI-2 (1)
SI-2 (2) AUTOMATED FLAW REMEDIATION STATUS • SI-2 (2)
SI-2 (3) TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS • SI-2 (3)
SI-2 (4) AUTOMATED PATCH MANAGEMENT TOOLS • SI-2 (4)
SI-2 (5) AUTOMATIC SOFTWARE / FIRMWARE UPDATES • SI-2 (5)
SI-2 (6) REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE / FIRMWARE • SI-2 (6)
SI-03 MALICIOUS CODE PROTECTION • SI-03
P1 LOW SI-3 (1) CENTRAL MANAGEMENT • SI-3 (1)
SI-3 (2) AUTOMATIC UPDATES • SI-3 (2)
SI-3 (3) NON-PRIVILEGED USERS • SI-3 (3)
SI-3 (4) UPDATES ONLY BY PRIVILEGED USERS • SI-3 (4)
SI-3 (5) PORTABLE STORAGE DEVICES • SI-3 (5)
SI-3 (6) TESTING / VERIFICATION • SI-3 (6)
SI-3 (7) NONSIGNATURE-BASED DETECTION • SI-3 (7)
SI-3 (8) DETECT UNAUTHORIZED COMMANDS • SI-3 (8)
SI-3 (9) AUTHENTICATE REMOTE COMMANDS • SI-3 (9)
SI-3 (10) MALICIOUS CODE ANALYSIS • SI-3 (10)
SI-04 INFORMATION SYSTEM MONITORING • • • • • • • • • • • • • • SI-04

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
SI-04 P1 LOW SI-4 (1) SYSTEM-WIDE INTRUSION DETECTION SYSTEM • • • • • • • • • • • • • • SI-4 (1)
SI-4 (2) AUTOMATED TOOLS FOR REAL-TIME ANALYSIS • • • • • • • • • • • • • • SI-4 (2)
SI-4 (3) AUTOMATED TOOL INTEGRATION • • • • • • • • • • • • • • SI-4 (3)
SI-4 (4) INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC • • • • • • • • • • • • • • SI-4 (4)
SI-4 (5) SYSTEM-GENERATED ALERTS • • • • • • • • • • • • • • SI-4 (5)
SI-4 (6) RESTRICT NON-PRIVILEGED USERS • • • • • • • • • • • • • • SI-4 (6)
SI-4 (7) AUTOMATED RESPONSE TO SUSPICIOUS EVENTS • • • • • • • • • • • • • • SI-4 (7)
SI-4 (8) PROTECTION OF MONITORING INFORMATION • • • • • • • • • • • • • • SI-4 (8)
SI-4 (9) TESTING OF MONITORING TOOLS • • • • • • • • • • • • • • SI-4 (9)
SI-4 (10) VISIBILITY OF ENCRYPTED COMMUNICATIONS • • • • • • • • • • • • • • SI-4 (10)
SI-4 (11) ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES • • • • • • • • • • • • • • SI-4 (11)
SI-4 (12) AUTOMATED ALERTS • • • • • • • • • • • • • • SI-4 (12)
SI-4 (13) ANALYZE TRAFFIC / EVENT PATTERNS • • • • • • • • • • • • • • SI-4 (13)
SI-4 (14) WIRELESS INTRUSION DETECTION • • • • • • • • • • • • • • SI-4 (14)
SI-4 (15) WIRELESS TO WIRELINE COMMUNICATIONS • • • • • • • • • • • • • • SI-4 (15)
SI-4 (16) CORRELATE MONITORING INFORMATION • • • • • • • • • • • • • • SI-4 (16)
SI-4 (17) INTEGRATED SITUATIONAL AWARENESS • • • • • • • • • • • • • • SI-4 (17)
SI-4 (18) ANALYZE TRAFFIC / COVERT EXFILTRATION • • • • • • • • • • • • • • SI-4 (18)
SI-4 (19) INDIVIDUALS POSING GREATER RISK • • • • • • • • • • • • • • SI-4 (19)
SI-4 (20) PRIVILEGED USER • • • • • • • • • • • • • • SI-4 (20)
SI-4 (21) PROBATIONARY PERIODS • • • • • • • • • • • • • • SI-4 (21)
SI-4 (22) UNAUTHORIZED NETWORK SERVICES • • • • • • • • • • • • • • SI-4 (22)
SI-4 (23) HOST-BASED DEVICES • • • • • • • • • • • • • • SI-4 (23)
SI-4 (24) INDICATORS OF COMPROMISE • • • • • • • • • • • • • • SI-4 (24)
SI-05 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES SI-05
P1 LOW SI-5 (1) AUTOMATED ALERTS AND ADVISORIES SI-5 (1)
SI-06 SECURITY FUNCTION VERIFICATION • SI-06
P1 HIGH SI-6 (1) NOTIFICATION OF FAILED SECURITY TESTS SI-6 (1)
SI-6 (2) AUTOMATION SUPPORT FOR DISTRIBUTED TESTING SI-6 (2)
SI-6 (3) REPORT VERIFICATION RESULTS SI-6 (3)
SI-07 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY • SI-07
P1 MODERATE SI-7 (1) INTEGRITY CHECKS • SI-7 (1)
SI-7 (2) AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS • SI-7 (2)
SI-7 (3) CENTRALLY-MANAGED INTEGRITY TOOLS • SI-7 (3)
SI-7 (4) TAMPER-EVIDENT PACKAGING • SI-7 (4)
SI-7 (5) AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS • SI-7 (5)
SI-7 (6) CRYPTOGRAPHIC PROTECTION • SI-7 (6)
SI-7 (7) INTEGRATION OF DETECTION AND RESPONSE • SI-7 (7)
SI-7 (8) AUDITING CAPABILITY FOR SIGNIFICANT EVENTS • SI-7 (8)
SI-7 (9) VERIFY BOOT PROCESS • SI-7 (9)
SI-7 (10) PROTECTION OF BOOT FIRMWARE • SI-7 (10)
SI-7 (11) CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES • SI-7 (11)
SI-7 (12) INTEGRITY VERIFICATION • SI-7 (12)
SI-7 (13) CODE EXECUTION IN PROTECTED ENVIRONMENTS • SI-7 (13)
SI-7 (14) BINARY OR MACHINE EXECUTABLE CODE • SI-7 (14)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
SI-07 P1 MODERATE SI-7 (15) CODE AUTHENTICATION • SI-7 (15)
SI-7 (16) TIME LIMIT ON PROCESS EXECUTION W/O SUPERVISION • SI-7 (16)
SI-08 SPAM PROTECTION • SI-08
P2 MODERATE SI-8 (1) CENTRAL MANAGEMENT • SI-8 (1)
SI-8 (2) AUTOMATIC UPDATES • SI-8 (2)
SI-8 (3) CONTINUOUS LEARNING CAPABILITY • SI-8 (3)
SI-09 INFORMATION INPUT RESTRICTIONS SI-09
SI-10 INFORMATION INPUT VALIDATION • SI-10
P1 MODERATE SI-10 (1) MANUAL OVERRIDE CAPABILITY • SI-10 (1)
SI-10 (2) REVIEW / RESOLUTION OF ERRORS • SI-10 (2)
SI-10 (3) PREDICTABLE BEHAVIOR • SI-10 (3)
SI-10 (4) REVIEW / TIMING INTERACTIONS • SI-10 (4)
SI-10 (5) RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS • SI-10 (5)
SI-11 ERROR HANDLING • SI-11
P2 MODERATE •
SI-12 INFORMATION HANDLING AND RETENTION SI-12
P2 LOW
SI-13 PREDICTABLE FAILURE PREVENTION SI-13
P0 SI-13 (1) TRANSFERRING COMPONENT RESPONSIBILITIES SI-13 (1)
SI-13 (2) TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION SI-13 (2)
SI-13 (3) MANUAL TRANSFER BETWEEN COMPONENTS SI-13 (3)
SI-13 (4) STANDBY COMPONENT INSTALLATION / NOTIFICATION SI-13 (4)
SI-13 (5) FAILOVER CAPABILITY SI-13 (5)
SI-14 NON-PERSISTENCE SI-14
P0 SI-14 (1) REFRESH FROM TRUSTED SOURCES SI-14 (1)
SI-15 INFORMATION OUTPUT FILTERING • SI-15
P0 •
SI-16 MEMORY PROTECTION • SI-16
P1 MODERATE •
SI-17 FAIL-SAFE PROCEDURES SI-17
P0
SYSTEM AND SERVICES ACQUISITION SYSTEM AND SERVICES ACQUISITION
SA-01 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES SA-01
P1 LOW
SA-02 ALLOCATION OF RESOURCES SA-02
P1 LOW
SA-03 SYSTEM DEVELOPMENT LIFE CYCLE • SA-03
P1 LOW •
SA-04 ACQUISITION PROCESS • • • SA-04
P1 LOW SA-4 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS • • • SA-4 (1)
SA-4 (2) DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS • • • SA-4 (2)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
SA-04 P1 LOW SA-4 (3) DEVELOPMENT METHODS / TECHNIQUES / PRACTICES • • • SA-4 (3)
SA-4 (4) ASSIGNMENT OF COMPONENTS TO SYSTEMS • • • SA-4 (4)
SA-4 (5) SYSTEM / COMPONENT / SERVICE CONFIGURATIONS • • • SA-4 (5)
SA-4 (6) USE OF INFORMATION ASSURANCE PRODUCTS • • • SA-4 (6)
SA-4 (7) NIAP-APPROVED PROTECTION PROFILES • • • SA-4 (7)
SA-4 (8) CONTINUOUS MONITORING PLAN • • • SA-4 (8)
SA-4 (9) FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE • • • SA-4 (9)
SA-4 (10) USE OF APPROVED PIV PRODUCTS • • • SA-4 (10)
SA-05 INFORMATION SYSTEM DOCUMENTATION SA-05
P2 LOW SA-5 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS SA-5 (1)
SA-5 (2) SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES SA-5 (2)
SA-5 (3) HIGH-LEVEL DESIGN SA-5 (3)
SA-5 (4) LOW-LEVEL DESIGN SA-5 (4)
SA-5 (5) SOURCE CODE SA-5 (5)
SA-06 SOFTWARE USAGE RESTRICTIONS SA-06
SA-07 USER-INSTALLED SOFTWARE SA-07
SA-08 SECURITY ENGINEERING PRINCIPLES • SA-08
P1 MODERATE •
SA-09 EXTERNAL INFORMATION SYSTEM SERVICES • SA-09
P1 LOW SA-9 (1) RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS • SA-9 (1)
SA-9 (2) IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES • SA-9 (2)
SA-9 (3) ESTABLISH / MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS • SA-9 (3)
SA-9 (4) CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS • SA-9 (4)
SA-9 (5) PROCESSING, STORAGE, AND SERVICE LOCATION • SA-9 (5)
SA-10 DEVELOPER CONFIGURATION MANAGEMENT • SA-10
P1 MODERATE SA-10 (1) SOFTWARE / FIRMWARE INTEGRITY VERIFICATION • SA-10 (1)
SA-10 (2) ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES • SA-10 (2)
SA-10 (3) HARDWARE INTEGRITY VERIFICATION • SA-10 (3)
SA-10 (4) TRUSTED GENERATION • SA-10 (4)
SA-10 (5) MAPPING INTEGRITY FOR VERSION CONTROL • SA-10 (5)
SA-10 (6) TRUSTED DISTRIBUTION • SA-10 (6)
SA-11 DEVELOPER SECURITY TESTING AND EVALUATION • • SA-11
P1 MODERATE SA-11 (1) STATIC CODE ANALYSIS • • SA-11 (1)
SA-11 (2) THREAT AND VULNERABILITY ANALYSES • • SA-11 (2)
SA-11 (3) INDEPENDENT VERIFICATION OF ASSESSMENT PLANS / EVIDENCE • • SA-11 (3)
SA-11 (4) MANUAL CODE REVIEWS • • SA-11 (4)
SA-11 (5) PENETRATION TESTING / ANALYSIS • • SA-11 (5)
SA-11 (6) ATTACK SURFACE REVIEWS • • SA-11 (6)
SA-11 (7) VERIFY SCOPE OF TESTING / EVALUATION • • SA-11 (7)
SA-11 (8) DYNAMIC CODE ANALYSIS • • SA-11 (8)
SA-12 SUPPLY CHAIN PROTECTION SA-12

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
SA-12 P1 HIGH SA-12 (1) ACQUISITION STRATEGIES / TOOLS / METHODS SA-12 (1)
SA-12 (2) SUPPLIER REVIEWS SA-12 (2)
SA-12 (3) TRUSTED SHIPPING AND WAREHOUSING SA-12 (3)
SA-12 (4) DIVERSITY OF SUPPLIERS SA-12 (4)
SA-12 (5) LIMITATION OF HARM SA-12 (5)
SA-12 (6) MINIMIZING PROCUREMENT TIME SA-12 (6)
SA-12 (7) ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATE SA-12 (7)
SA-12 (8) USE OF ALL-SOURCE INTELLIGENCE SA-12 (8)
SA-12 (9) OPERATIONS SECURITY SA-12 (9)
SA-12 (10) VALIDATE AS GENUINE AND NOT ALTERED SA-12 (10)
SA-12 (11) PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS SA-12 (11)
SA-12 (12) INTER-ORGANIZATIONAL AGREEMENTS SA-12 (12)
SA-12 (13) CRITICAL INFORMATION SYSTEM COMPONENTS SA-12 (13)
SA-12 (14) IDENTITY AND TRACEABILITY SA-12 (14)
SA-12 (15) PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES SA-12 (15)
SA-13 TRUSTWORTHINESS • SA-13
P0 •
SA-14 CRITICALITY ANALYSIS SA-14
P0 SA-14 (1) CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING SA-14 (1)
SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS • SA-15
P2 HIGH SA-15 (1) QUALITY METRICS • SA-15 (1)
SA-15 (2) SECURITY TRACKING TOOLS • SA-15 (2)
SA-15 (3) CRITICALITY ANALYSIS • SA-15 (3)
SA-15 (4) THREAT MODELING / VULNERABILITY ANALYSIS • SA-15 (4)
SA-15 (5) ATTACK SURFACE REDUCTION • SA-15 (5)
SA-15 (6) CONTINUOUS IMPROVEMENT • SA-15 (6)
SA-15 (7) AUTOMATED VULNERABILITY ANALYSIS • SA-15 (7)
SA-15 (8) REUSE OF THREAT / VULNERABILITY INFORMATION • SA-15 (8)
SA-15 (9) USE OF LIVE DATA • SA-15 (9)
SA-15 (10) INCIDENT RESPONSE PLAN • SA-15 (10)
SA-15 (11) ARCHIVE INFORMATION SYSTEM / COMPONENT • SA-15 (11)
SA-16 DEVELOPER-PROVIDED TRAINING • • SA-16
P2 HIGH • •
SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN • • SA-17
P1 HIGH SA-17 (1) FORMAL POLICY MODEL • • SA-17 (1)
SA-17 (2) SECURITY-RELEVANT COMPONENTS • • SA-17 (2)
SA-17 (3) FORMAL CORRESPONDENCE • • SA-17 (3)
SA-17 (4) INFORMAL CORRESPONDENCE • • SA-17 (4)
SA-17 (5) CONCEPTUALLY SIMPLE DESIGN • • SA-17 (5)
SA-17 (6) STRUCTURE FOR TESTING • • SA-17 (6)
SA-17 (7) STRUCTURE FOR LEAST PRIVILEGE • • SA-17 (7)
SA-18 TAMPER RESISTANCE AND DETECTION • SA-18
P0 SA-18 (1) MULTIPLE PHASES OF SDLC • SA-18 (1)
SA-18 (2) INSPECTION OF INFORMATION SYSTEMS, COMPONENTS, OR DEVICES • SA-18 (2)

1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17
Count
SA-18 P0
SA-19 COMPONENT AUTHENTICITY SA-19
P0 SA-19 (1) ANTI-COUNTERFEIT TRAINING SA-19 (1)
SA-19 (2) CONFIGURATION CONTROL FOR COMPONENT SERVICE / REPAIR SA-19 (2)
SA-19 (3) COMPONENT DISPOSAL SA-19 (3)
SA-19 (4) ANTI-COUNTERFEIT SCANNING SA-19 (4)
SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS • SA-20
P0 •
SA-21 DEVELOPER SCREENING • SA-21
P0 SA-21 (1) VALIDATION OF SCREENING • SA-21 (1)
SA-22 UNSUPPORTED SYSTEM COMPONENTS SA-22
P0 SA-22 (1) ALTERNATIVE SOURCES FOR CONTINUED SUPPORT SA-22 (1)

(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (8)

Semelhante a (2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804

Semelhante a (2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804 (20)

Mais de James W. De Rienzo

Mais de James W. De Rienzo (18)

Último

Último (20)

(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804