(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804

Map CSC 5.0 to NIST SP 800‐53 Revision 4 Security Controls & Enhancements

01: Inventory of Authorized and Unauthorized 06: Application Software Security 11: Limitation and Control of Network Ports, P 16: Account Monitoring and Control02: Inventory of Authorized and Unauthorized 07: Wireless Access Control 12: Controlled Use of Administrative Privilege 17: Data Protection

03: Secure Configurations 08: Data Recovery Capability 13: Boundary Defense 18: Incident Response and Management04: Continuous Vulnerabil 09: Security Skil 14: Maintenance 19: Secure Network Engineering

05: Ma 10: Se 15: Controlled A 20: Pe 1424 64 74 124 65 49 72 72 18 26 108 86 108 118 91 76 87 94 31 44 17

Cou

nt

ACCESS CONTROL ACCESS CONTROL

AC-01 ACCESS CONTROL POLICY AND PROCEDURES • AC-01

P1 LOW •

AC-02 ACCOUNT MANAGEMENT • • • AC-02

P1 LOW AC-2 (1) AUTOMATED SYSTEM ACCOUNT MANAGEMENT • • • AC-2 (1)

AC-2 (2) REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS • • • AC-2 (2)

AC-2 (3) DISABLE INACTIVE ACCOUNTS • • • AC-2 (3)

AC-2 (4) AUTOMATED AUDIT ACTIONS • • • AC-2 (4)

AC-2 (5) INACTIVITY LOGOUT • • • AC-2 (5)

AC-2 (6) DYNAMIC PRIVILEGE MANAGEMENT • • • AC-2 (6)

AC-2 (7) ROLE-BASED SCHEMES • • • AC-2 (7)

AC-2 (8) DYNAMIC ACCOUNT CREATION • • • AC-2 (8)

AC-2 (9) RESTRICTIONS ON USE OF SHARED GROUPS / ACCOUNTS • • • AC-2 (9)

AC-2 (10) SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION • • • AC-2 (10)

AC-2 (11) USAGE CONDITIONS • • • AC-2 (11)

AC-2 (12) ACCOUNT MONITORING / ATYPICAL USAGE • • • AC-2 (12)

AC-2 (13) DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS • • • AC-2 (13)

AC-03 ACCESS ENFORCEMENT • • • AC-03

P1 LOW AC-3 (1) RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS • • • AC-3 (1)

AC-3 (2) DUAL AUTHORIZATION • • • AC-3 (2)

AC-3 (3) MANDATORY ACCESS CONTROL • • • AC-3 (3)

AC-3 (4) DISCRETIONARY ACCESS CONTROL • • • AC-3 (4)

AC-3 (5) SECURITY-RELEVANT INFORMATION • • • AC-3 (5)

AC-3 (6) PROTECTION OF USER AND SYSTEM INFORMATION • • • AC-3 (6)

AC-3 (7) ROLE-BASED ACCESS CONTROL • • • AC-3 (7)

AC-3 (8) REVOCATION OF ACCESS AUTHORIZATIONS • • • AC-3 (8)

AC-3 (9) CONTROLLED RELEASE • • • AC-3 (9)

AC-3 (10) AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS • • • AC-3 (10)

AC-04 INFORMATION FLOW ENFORCEMENT • • • • • AC-04

P1 MODERATE AC-4 (1) OBJECT SECURITY ATTRIBUTES • • • • • AC-4 (1)

AC-4 (2) PROCESSING DOMAINS • • • • • AC-4 (2)

AC-4 (3) DYNAMIC INFORMATION FLOW CONTROL • • • • • AC-4 (3)

AC-4 (4) CONTENT CHECK ENCRYPTED INFORMATION • • • • • AC-4 (4)

AC-4 (5) EMBEDDED DATA TYPES • • • • • AC-4 (5)

AC-4 (6) METADATA • • • • • AC-4 (6)

AC-4 (7) ONE-WAY FLOW MECHANISMS • • • • • AC-4 (7)

AC-4 (8) SECURITY POLICY FILTERS • • • • • AC-4 (8)

AC-4 (9) HUMAN REVIEWS • • • • • AC-4 (9)

AC-4 (10) ENABLE / DISABLE SECURITY POLICY FILTERS • • • • • AC-4 (10)

AC-4 (11) CONFIGURATION OF SECURITY POLICY FILTERS • • • • • AC-4 (11)

AC-4 (12) DATA TYPE IDENTIFIERS • • • • • AC-4 (12)

AC-4 (13) DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS • • • • • AC-4 (13)

AC-4 (14) SECURITY POLICY FILTER CONSTRAINTS • • • • • AC-4 (14)

AC-4 (15) DETECTION OF UNSANCTIONED INFORMATION • • • • • AC-4 (15)

ENHANCEMENTS TABLE of 26





Cou

nt

AC-04 P1 MODERATE AC-4 (16) INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS • • • • • AC-4 (16)

AC-4 (17) DOMAIN AUTHENTICATION • • • • • AC-4 (17)

AC-4 (18) SECURITY ATTRIBUTE BINDING • • • • • AC-4 (18)

AC-4 (19) VALIDATION OF METADATA • • • • • AC-4 (19)

AC-4 (20) APPROVED SOLUTIONS • • • • • AC-4 (20)

AC-4 (21) PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS • • • • • AC-4 (21)

AC-4 (22) ACCESS ONLY • • • • • AC-4 (22)

AC-05 SEPARATION OF DUTIES AC-05

P1 MODERATE

AC-06 LEAST PRIVILEGE • • AC-06

P1 MODERATE AC-6 (1) AUTHORIZE ACCESS TO SECURITY FUNCTIONS • • AC-6 (1)

AC-6 (2) NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS • • AC-6 (2)

AC-6 (3) NETWORK ACCESS TO PRIVILEGED COMMANDS • • AC-6 (3)

AC-6 (4) SEPARATE PROCESSING DOMAINS • • AC-6 (4)

AC-6 (5) PRIVILEGED ACCOUNTS • • AC-6 (5)

AC-6 (6) PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS • • AC-6 (6)

AC-6 (7) REVIEW OF USER PRIVILEGES • • AC-6 (7)

AC-6 (8) PRIVILEGE LEVELS FOR CODE EXECUTION • • AC-6 (8)

AC-6 (9) AUDITING USE OF PRIVILEGED FUNCTIONS • • AC-6 (9)

AC-6 (10) PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS • • AC-6 (10)

AC-07 UNSUCCESSFUL LOGON ATTEMPTS • AC-07

P2 LOW AC-7 (1) AUTOMATIC ACCOUNT LOCK • AC-7 (1)

AC-7 (2) PURGE / WIPE MOBILE DEVICE • AC-7 (2)

AC-08 SYSTEM USE NOTIFICATION AC-08

P1 LOW

AC-09 PREVIOUS LOGON (ACCESS) NOTIFICATION AC-09

P0 AC-9 (1) UNSUCCESSFUL LOGONS AC-9 (1)

AC-9 (2) SUCCESSFUL / UNSUCCESSFUL LOGONS AC-9 (2)

AC-9 (3) NOTIFICATION OF ACCOUNT CHANGES AC-9 (3)

AC-9 (4) ADDITIONAL LOGON INFORMATION AC-9 (4)

AC-10 CONCURRENT SESSION CONTROL AC-10

P3 HIGH

AC-11 SESSION LOCK • AC-11

P3 MODERATE AC-11 (1) PATTERN-HIDING DISPLAYS • AC-11 (1)

AC-12 SESSION TERMINATION • AC-12

P2 MODERATE AC-12 (1) USER-INITIATED LOGOUTS / MESSAGE DISPLAYS • AC-12 (1)

AC-13 SUPERVISION AND REVIEW ' ACCESS CONTROL AC-13

AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION AC-14

P3 LOW AC-14 (1) NECESSARY USES AC-14 (1)

AC-15 AUTOMATED MARKING AC-15






Cou

nt

AC-15

AC-16 SECURITY ATTRIBUTES AC-16

P0 AC-16 (1) DYNAMIC ATTRIBUTE ASSOCIATION AC-16 (1)

AC-16 (2) ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS AC-16 (2)

AC-16 (3) MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY INFORMATION SYSTEM AC-16 (3)

AC-16 (4) ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS AC-16 (4)

AC-16 (5) ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES AC-16 (5)

AC-16 (6) MAINTENANCE OF ATTRIBUTE ASSOCIATION BY ORGANIZATION AC-16 (6)

AC-16 (7) CONSISTENT ATTRIBUTE INTERPRETATION AC-16 (7)

AC-16 (8) ASSOCIATION TECHNIQUES / TECHNOLOGIES AC-16 (8)

AC-16 (9) ATTRIBUTE REASSIGNMENT AC-16 (9)

AC-16 (10) ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS AC-16 (10)

AC-17 REMOTE ACCESS • • AC-17

P1 LOW AC-17 (1) AUTOMATED MONITORING / CONTROL • • AC-17 (1)

AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION • • AC-17 (2)

AC-17 (3) MANAGED ACCESS CONTROL POINTS • • AC-17 (3)

AC-17 (4) PRIVILEGED COMMANDS / ACCESS • • AC-17 (4)

AC-17 (5) MONITORING FOR UNAUTHORIZED CONNECTIONS • • AC-17 (5)

AC-17 (6) PROTECTION OF INFORMATION • • AC-17 (6)

AC-17 (7) ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS • • AC-17 (7)

AC-17 (8) DISABLE NONSECURE NETWORK PROTOCOLS • • AC-17 (8)

AC-17 (9) DISCONNECT / DISABLE ACCESS • • AC-17 (9)

AC-18 WIRELESS ACCESS • AC-18

P1 LOW AC-18 (1) AUTHENTICATION AND ENCRYPTION • AC-18 (1)

AC-18 (2) MONITORING UNAUTHORIZED CONNECTIONS • AC-18 (2)

AC-18 (3) DISABLE WIRELESS NETWORKING • AC-18 (3)

AC-18 (4) RESTRICT CONFIGURATIONS BY USERS • AC-18 (4)

AC-18 (5) ANTENNAS / TRANSMISSION POWER LEVELS • AC-18 (5)

AC-19 ACCESS CONTROL FOR MOBILE DEVICES • • AC-19

P1 LOW AC-19 (1) USE OF WRITABLE / PORTABLE STORAGE DEVICES • • AC-19 (1)

AC-19 (2) USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES • • AC-19 (2)

AC-19 (3) USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER • • AC-19 (3)

AC-19 (4) RESTRICTIONS FOR CLASSIFIED INFORMATION • • AC-19 (4)

AC-19 (5) FULL DEVICE / CONTAINER-BASED ENCRYPTION • • AC-19 (5)

AC-20 USE OF EXTERNAL INFORMATION SYSTEMS • AC-20

P1 LOW AC-20 (1) LIMITS ON AUTHORIZED USE • AC-20 (1)

AC-20 (2) PORTABLE STORAGE DEVICES • AC-20 (2)

AC-20 (3) NON-ORGANIZATIONALLY OWNED SYSTEMS / COMPONENTS / DEVICES • AC-20 (3)

AC-20 (4) NETWORK ACCESSIBLE STORAGE DEVICES • AC-20 (4)

AC-21 INFORMATION SHARING AC-21

P2 MODERATE AC-21 (1) AUTOMATED DECISION SUPPORT AC-21 (1)

AC-21 (2) INFORMATION SEARCH AND RETRIEVAL AC-21 (2)






Cou

nt

AC-22 PUBLICLY ACCESSIBLE CONTENT AC-22

P3 LOW

AC-23 DATA MINING PROTECTION • • AC-23

P0 • •

AC-24 ACCESS CONTROL DECISIONS • AC-24

P0 AC-24 (1) TRANSMIT ACCESS AUTHORIZATION INFORMATION • AC-24 (1)

AC-24 (2) NO USER OR PROCESS IDENTITY • AC-24 (2)

AC-25 REFERENCE MONITOR AC-25

P0

AUDIT AND ACCOUNTABILITY AUDIT AND ACCOUNTABILITY

AU-01 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES AU-01

P1 LOW

AU-02 AUDIT EVENTS • AU-02

P1 LOW AU-2 (1) COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES • AU-2 (1)

AU-2 (2) SELECTION OF AUDIT EVENTS BY COMPONENT • AU-2 (2)

AU-2 (3) REVIEWS AND UPDATES • AU-2 (3)

AU-2 (4) PRIVILEGED FUNCTIONS • AU-2 (4)

AU-03 CONTENT OF AUDIT RECORDS • AU-03

P1 LOW AU-3 (1) ADDITIONAL AUDIT INFORMATION • AU-3 (1)

AU-3 (2) CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT • AU-3 (2)

AU-04 AUDIT STORAGE CAPACITY • AU-04

P1 LOW AU-4 (1) TRANSFER TO ALTERNATE STORAGE • AU-4 (1)

AU-05 RESPONSE TO AUDIT PROCESSING FAILURES • AU-05

P1 LOW AU-5 (1) AUDIT STORAGE CAPACITY • AU-5 (1)

AU-5 (2) REAL-TIME ALERTS • AU-5 (2)

AU-5 (3) CONFIGURABLE TRAFFIC VOLUME THRESHOLDS • AU-5 (3)

AU-5 (4) SHUTDOWN ON FAILURE • AU-5 (4)

AU-06 AUDIT REVIEW, ANALYSIS, AND REPORTING • AU-06

P1 LOW AU-6 (1) PROCESS INTEGRATION • AU-6 (1)

AU-6 (2) AUTOMATED SECURITY ALERTS • AU-6 (2)

AU-6 (3) CORRELATE AUDIT REPOSITORIES • AU-6 (3)

AU-6 (4) CENTRAL REVIEW AND ANALYSIS • AU-6 (4)

AU-6 (5) INTEGRATION / SCANNING AND MONITORING CAPABILITIES • AU-6 (5)

AU-6 (6) CORRELATION WITH PHYSICAL MONITORING • AU-6 (6)

AU-6 (7) PERMITTED ACTIONS • AU-6 (7)

AU-6 (8) FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS • AU-6 (8)

AU-6 (9) CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES • AU-6 (9)

AU-6 (10) AUDIT LEVEL ADJUSTMENT • AU-6 (10)

AU-07 AUDIT REDUCTION AND REPORT GENERATION • AU-07

P2 MODERATE AU-7 (1) AUTOMATIC PROCESSING • AU-7 (1)

AU-7 (2) AUTOMATIC SORT AND SEARCH • AU-7 (2)






Cou

nt

AU-07 P2 MODERATE

AU-08 TIME STAMPS • AU-08

P1 LOW AU-8 (1) SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE • AU-8 (1)

AU-8 (2) SECONDARY AUTHORITATIVE TIME SOURCE • AU-8 (2)

AU-09 PROTECTION OF AUDIT INFORMATION • AU-09

P1 LOW AU-9 (1) HARDWARE WRITE-ONCE MEDIA • AU-9 (1)

AU-9 (2) AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS • AU-9 (2)

AU-9 (3) CRYPTOGRAPHIC PROTECTION • AU-9 (3)

AU-9 (4) ACCESS BY SUBSET OF PRIVILEGED USERS • AU-9 (4)

AU-9 (5) DUAL AUTHORIZATION • AU-9 (5)

AU-9 (6) READ ONLY ACCESS • AU-9 (6)

AU-10 NON-REPUDIATION • AU-10

P2 HIGH AU-10 (1) ASSOCIATION OF IDENTITIES • AU-10 (1)

AU-10 (2) VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY • AU-10 (2)

AU-10 (3) CHAIN OF CUSTODY • AU-10 (3)

AU-10 (4) VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY • AU-10 (4)

AU-10 (5) DIGITAL SIGNATURES • AU-10 (5)

AU-11 AUDIT RECORD RETENTION • AU-11

P3 LOW AU-11 (1) LONG-TERM RETRIEVAL CAPABILITY • AU-11 (1)

AU-12 AUDIT GENERATION • AU-12

P1 LOW AU-12 (1) SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL • AU-12 (1)

AU-12 (2) STANDARDIZED FORMATS • AU-12 (2)

AU-12 (3) CHANGES BY AUTHORIZED INDIVIDUALS • AU-12 (3)

AU-13 MONITORING FOR INFORMATION DISCLOSURE • AU-13

P0 AU-13 (1) USE OF AUTOMATED TOOLS • AU-13 (1)

AU-13 (2) REVIEW OF MONITORED SITES • AU-13 (2)

AU-14 SESSION AUDIT • AU-14

P0 AU-14 (1) SYSTEM START-UP • AU-14 (1)

AU-14 (2) CAPTURE/RECORD AND LOG CONTENT • AU-14 (2)

AU-14 (3) REMOTE VIEWING / LISTENING • AU-14 (3)

AU-15 ALTERNATE AUDIT CAPABILITY AU-15

P0

AU-16 CROSS-ORGANIZATIONAL AUDITING AU-16

P0 AU-16 (1) IDENTITY PRESERVATION AU-16 (1)

AU-16 (2) SHARING OF AUDIT INFORMATION AU-16 (2)

AWARENESS AND TRAINING AWARENESS AND TRAINING

AT-01 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES • AT-01

P1 LOW •

AT-02 SECURITY AWARENESS TRAINING • AT-02






Cou

nt

AT-02 P1 LOW AT-2 (1) PRACTICAL EXERCISES • AT-2 (1)

AT-2 (2) INSIDER THREAT • AT-2 (2)

AT-03 ROLE-BASED SECURITY TRAINING • AT-03

P1 LOW AT-3 (1) ENVIRONMENTAL CONTROLS • AT-3 (1)

AT-3 (2) PHYSICAL SECURITY CONTROLS • AT-3 (2)

AT-3 (3) PRACTICAL EXERCISES • AT-3 (3)

AT-3 (4) SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR • AT-3 (4)

AT-04 SECURITY TRAINING RECORDS • AT-04

P3 LOW •

AT-05 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS AT-05

CONFIGURATION MANAGEMENT CONFIGURATION MANAGEMENT

CM-01 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES CM-01

P1 LOW

CM-02 BASELINE CONFIGURATION • • • • • • CM-02

P1 LOW CM-2 (1) REVIEWS AND UPDATES • • • • • • CM-2 (1)

CM-2 (2) AUTOMATION SUPPORT FOR ACCURACY / CURRENCY • • • • • • CM-2 (2)

CM-2 (3) RETENTION OF PREVIOUS CONFIGURATIONS • • • • • • CM-2 (3)

CM-2 (4) UNAUTHORIZED SOFTWARE • • • • • • CM-2 (4)

CM-2 (5) AUTHORIZED SOFTWARE • • • • • • CM-2 (5)

CM-2 (6) DEVELOPMENT AND TEST ENVIRONMENTS • • • • • • CM-2 (6)

CM-2 (7) CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS • • • • • • CM-2 (7)

CM-03 CONFIGURATION CHANGE CONTROL • • CM-03

P1 MODERATE CM-3 (1) AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES • • CM-3 (1)

CM-3 (2) TEST / VALIDATE / DOCUMENT CHANGES • • CM-3 (2)

CM-3 (3) AUTOMATED CHANGE IMPLEMENTATION • • CM-3 (3)

CM-3 (4) SECURITY REPRESENTATIVE • • CM-3 (4)

CM-3 (5) AUTOMATED SECURITY RESPONSE • • CM-3 (5)

CM-3 (6) CRYPTOGRAPHY MANAGEMENT • • CM-3 (6)

CM-04 SECURITY IMPACT ANALYSIS CM-04

P2 LOW CM-4 (1) SEPARATE TEST ENVIRONMENTS CM-4 (1)

CM-4 (2) VERIFICATION OF SECURITY FUNCTIONS CM-4 (2)

CM-05 ACCESS RESTRICTIONS FOR CHANGE • • CM-05

P1 MODERATE CM-5 (1) AUTOMATED ACCESS ENFORCEMENT / AUDITING • • CM-5 (1)

CM-5 (2) REVIEW SYSTEM CHANGES • • CM-5 (2)

CM-5 (3) SIGNED COMPONENTS • • CM-5 (3)

CM-5 (4) DUAL AUTHORIZATION • • CM-5 (4)

CM-5 (5) LIMIT PRODUCTION / OPERATIONAL PRIVILEGES • • CM-5 (5)

CM-5 (6) LIMIT LIBRARY PRIVILEGES • • CM-5 (6)

CM-5 (7) AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS • • CM-5 (7)

CM-06 CONFIGURATION SETTINGS • • • CM-06






Cou

nt

CM-06 P1 LOW CM-6 (1) AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION • • • CM-6 (1)

CM-6 (2) RESPOND TO UNAUTHORIZED CHANGES • • • CM-6 (2)

CM-6 (3) UNAUTHORIZED CHANGE DETECTION • • • CM-6 (3)

CM-6 (4) CONFORMANCE DEMONSTRATION • • • CM-6 (4)

CM-07 LEAST FUNCTIONALITY • CM-07

P1 LOW CM-7 (1) PERIODIC REVIEW • CM-7 (1)

CM-7 (2) PREVENT PROGRAM EXECUTION • CM-7 (2)

CM-7 (3) REGISTRATION COMPLIANCE • CM-7 (3)

CM-7 (4) UNAUTHORIZED SOFTWARE / BLACKLISTING • CM-7 (4)

CM-7 (5) AUTHORIZED SOFTWARE / WHITELISTING • CM-7 (5)

CM-08 INFORMATION SYSTEM COMPONENT INVENTORY • • • • • CM-08

P1 LOW CM-8 (1) UPDATES DURING INSTALLATIONS / REMOVALS • • • • • CM-8 (1)

CM-8 (2) AUTOMATED MAINTENANCE • • • • • CM-8 (2)

CM-8 (3) AUTOMATED UNAUTHORIZED COMPONENT DETECTION • • • • • CM-8 (3)

CM-8 (4) ACCOUNTABILITY INFORMATION • • • • • CM-8 (4)

CM-8 (5) NO DUPLICATE ACCOUNTING OF COMPONENTS • • • • • CM-8 (5)

CM-8 (6) ASSESSED CONFIGURATIONS / APPROVED DEVIATIONS • • • • • CM-8 (6)

CM-8 (7) CENTRALIZED REPOSITORY • • • • • CM-8 (7)

CM-8 (8) AUTOMATED LOCATION TRACKING • • • • • CM-8 (8)

CM-8 (9) ASSIGNMENT OF COMPONENTS TO SYSTEMS • • • • • CM-8 (9)

CM-09 CONFIGURATION MANAGEMENT PLAN • CM-09

P1 MODERATE CM-9 (1) ASSIGNMENT OF RESPONSIBILITY • CM-9 (1)

CM-10 SOFTWARE USAGE RESTRICTIONS • CM-10

P2 LOW CM-10 (1) OPEN SOURCE SOFTWARE • CM-10 (1)

CM-11 USER-INSTALLED SOFTWARE • • CM-11

P1 LOW CM-11 (1) ALERTS FOR UNAUTHORIZED INSTALLATIONS • • CM-11 (1)

CM-11 (2) PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS • • CM-11 (2)

CONTINGENCY PLANNING CONTINGENCY PLANNING

CP-01 CONTINGENCY PLANNING POLICY AND PROCEDURES CP-01

P1 LOW

CP-02 CONTINGENCY PLAN CP-02

P1 LOW CP-2 (1) COORDINATE WITH RELATED PLANS CP-2 (1)

CP-2 (2) CAPACITY PLANNING CP-2 (2)

CP-2 (3) RESUME ESSENTIAL MISSIONS / BUSINESS FUNCTIONS CP-2 (3)

CP-2 (4) RESUME ALL MISSIONS / BUSINESS FUNCTIONS CP-2 (4)

CP-2 (5) CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNCTIONS CP-2 (5)

CP-2 (6) ALTERNATE PROCESSING / STORAGE SITE CP-2 (6)

CP-2 (7) COORDINATE WITH EXTERNAL SERVICE PROVIDERS CP-2 (7)

CP-2 (8) IDENTIFY CRITICAL ASSETS CP-2 (8)

CP-03 CONTINGENCY TRAINING CP-03






Cou

nt

CP-03 P2 LOW CP-3 (1) SIMULATED EVENTS CP-3 (1)

CP-3 (2) AUTOMATED TRAINING ENVIRONMENTS CP-3 (2)

CP-04 CONTINGENCY PLAN TESTING CP-04

P2 LOW CP-4 (1) COORDINATE WITH RELATED PLANS CP-4 (1)

CP-4 (2) ALTERNATE PROCESSING SITE CP-4 (2)

CP-4 (3) AUTOMATED TESTING CP-4 (3)

CP-4 (4) FULL RECOVERY / RECONSTITUTION CP-4 (4)

CP-05 CONTINGENCY PLAN UPDATE CP-05

CP-06 ALTERNATE STORAGE SITE CP-06

P1 MODERATE CP-6 (1) SEPARATION FROM PRIMARY SITE CP-6 (1)

CP-6 (2) RECOVERY TIME / POINT OBJECTIVES CP-6 (2)

CP-6 (3) ACCESSIBILITY CP-6 (3)

CP-07 ALTERNATE PROCESSING SITE CP-07

P1 MODERATE CP-7 (1) SEPARATION FROM PRIMARY SITE CP-7 (1)

CP-7 (2) ACCESSIBILITY CP-7 (2)

CP-7 (3) PRIORITY OF SERVICE CP-7 (3)

CP-7 (4) PREPARATION FOR USE CP-7 (4)

CP-7 (5) EQUIVALENT INFORMATION SECURITY SAFEGUARDS CP-7 (5)

CP-7 (6) INABILITY TO RETURN TO PRIMARY SITE CP-7 (6)

CP-08 TELECOMMUNICATIONS SERVICES CP-08

P1 MODERATE CP-8 (1) PRIORITY OF SERVICE PROVISIONS CP-8 (1)

CP-8 (2) SINGLE POINTS OF FAILURE CP-8 (2)

CP-8 (3) SEPARATION OF PRIMARY / ALTERNATE PROVIDERS CP-8 (3)

CP-8 (4) PROVIDER CONTINGENCY PLAN CP-8 (4)

CP-8 (5) ALTERNATE TELECOMMUNICATION SERVICE TESTING CP-8 (5)

CP-09 INFORMATION SYSTEM BACKUP • CP-09

P1 LOW CP-9 (1) TESTING FOR RELIABILITY / INTEGRITY • CP-9 (1)

CP-9 (2) TEST RESTORATION USING SAMPLING • CP-9 (2)

CP-9 (3) SEPARATE STORAGE FOR CRITICAL INFORMATION • CP-9 (3)

CP-9 (4) PROTECTION FROM UNAUTHORIZED MODIFICATION • CP-9 (4)

CP-9 (5) TRANSFER TO ALTERNATE STORAGE SITE • CP-9 (5)

CP-9 (6) REDUNDANT SECONDARY SYSTEM • CP-9 (6)

CP-9 (7) DUAL AUTHORIZATION • CP-9 (7)

CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION • CP-10

P1 LOW CP-10 (1) CONTINGENCY PLAN TESTING • CP-10 (1)

CP-10 (2) TRANSACTION RECOVERY • CP-10 (2)

CP-10 (3) COMPENSATING SECURITY CONTROLS • CP-10 (3)

CP-10 (4) RESTORE WITHIN TIME PERIOD • CP-10 (4)

CP-10 (5) FAILOVER CAPABILITY • CP-10 (5)

CP-10 (6) COMPONENT PROTECTION • CP-10 (6)






Cou

nt

CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS CP-11

P0

CP-12 SAFE MODE CP-12

P0

CP-13 ALTERNATIVE SECURITY MECHANISMS CP-13

P0

IDENTIFICATION AND AUTHENTICATION IDENTIFICATION AND AUTHENTICATION

IA-01 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES IA-01

P1 LOW

IA-02 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) • IA-02

P1 LOW IA-2 (1) NETWORK ACCESS TO PRIVILEGED ACCOUNTS • IA-2 (1)

IA-2 (2) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS • IA-2 (2)

IA-2 (3) LOCAL ACCESS TO PRIVILEGED ACCOUNTS • IA-2 (3)

IA-2 (4) LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS • IA-2 (4)

IA-2 (5) GROUP AUTHENTICATION • IA-2 (5)

IA-2 (6) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - SEPARATE DEVICE • IA-2 (6)

IA-2 (7) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - SEPARATE DEVICE • IA-2 (7)

IA-2 (8) NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT • IA-2 (8)

IA-2 (9) NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT • IA-2 (9)

IA-2 (10) SINGLE SIGN-ON • IA-2 (10)

IA-2 (11) REMOTE ACCESS - SEPARATE DEVICE • IA-2 (11)

IA-2 (12) ACCEPTANCE OF PIV CREDENTIALS • IA-2 (12)

IA-2 (13) OUT-OF-BAND AUTHENTICATION • IA-2 (13)

IA-03 DEVICE IDENTIFICATION AND AUTHENTICATION • • IA-03

P1 MODERATE IA-3 (1) CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION • • IA-3 (1)

IA-3 (2) CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATION • • IA-3 (2)

IA-3 (3) DYNAMIC ADDRESS ALLOCATION • • IA-3 (3)

IA-3 (4) DEVICE ATTESTATION • • IA-3 (4)

IA-04 IDENTIFIER MANAGEMENT • IA-04

P1 LOW IA-4 (1) PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS • IA-4 (1)

IA-4 (2) SUPERVISOR AUTHORIZATION • IA-4 (2)

IA-4 (3) MULTIPLE FORMS OF CERTIFICATION • IA-4 (3)

IA-4 (4) IDENTIFY USER STATUS • IA-4 (4)

IA-4 (5) DYNAMIC MANAGEMENT • IA-4 (5)

IA-4 (6) CROSS-ORGANIZATION MANAGEMENT • IA-4 (6)

IA-4 (7) IN-PERSON REGISTRATION • IA-4 (7)

IA-05 AUTHENTICATOR MANAGEMENT • • IA-05

P1 LOW IA-5 (1) PASSWORD-BASED AUTHENTICATION • • IA-5 (1)

IA-5 (2) PKI-BASED AUTHENTICATION • • IA-5 (2)

IA-5 (3) IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION • • IA-5 (3)

IA-5 (4) AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION • • IA-5 (4)

IA-5 (5) CHANGE AUTHENTICATORS PRIOR TO DELIVERY • • IA-5 (5)

IA-5 (6) PROTECTION OF AUTHENTICATORS • • IA-5 (6)

IA-5 (7) NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS • • IA-5 (7)






Cou

nt

P1 LOW IA-5 (8) MULTIPLE INFORMATION SYSTEM ACCOUNTS • • IA-5 (8)

IA-5 (9) CROSS-ORGANIZATION CREDENTIAL MANAGEMENT • • IA-5 (9)

IA-5 (10) DYNAMIC CREDENTIAL ASSOCIATION • • IA-5 (10)

IA-5 (11) HARDWARE TOKEN-BASED AUTHENTICATION • • IA-5 (11)

IA-5 (12) BIOMETRIC AUTHENTICATION • • IA-5 (12)

IA-5 (13) EXPIRATION OF CACHED AUTHENTICATORS • • IA-5 (13)

IA-5 (14) MANAGING CONTENT OF PKI TRUST STORES • • IA-5 (14)

IA-5 (15) FICAM-APPROVED PRODUCTS AND SERVICES • • IA-5 (15)

IA-06 AUTHENTICATOR FEEDBACK IA-06

P2 LOW

IA-07 CRYPTOGRAPHIC MODULE AUTHENTICATION IA-07

P1 LOW

IA-08 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) IA-08

P1 LOW IA-8 (1) ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES IA-8 (1)

IA-8 (2) ACCEPTANCE OF THIRD-PARTY CREDENTIALS IA-8 (2)

IA-8 (3) USE OF FICAM-APPROVED PRODUCTS IA-8 (3)

IA-8 (4) USE OF FICAM-ISSUED PROFILES IA-8 (4)

IA-8 (5) ACCEPTANCE OF PIV-I CREDENTIALS IA-8 (5)

IA-09 SERVICE IDENTIFICATION AND AUTHENTICATION IA-09

P0 IA-9 (1) INFORMATION EXCHANGE IA-9 (1)

IA-9 (2) TRANSMISSION OF DECISIONS IA-9 (2)

IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION • • IA-10

P0 • •

IA-11 RE-AUTHENTICATION IA-11

P0

INCIDENT RESPONSE INCIDENT RESPONSE

IR-01 INCIDENT RESPONSE POLICY AND PROCEDURES • IR-01

P1 LOW •

IR-02 INCIDENT RESPONSE TRAINING • IR-02

P2 LOW IR-2 (1) SIMULATED EVENTS • IR-2 (1)

IR-2 (2) AUTOMATED TRAINING ENVIRONMENTS • IR-2 (2)

IR-03 INCIDENT RESPONSE TESTING • IR-03

P2 MODERATE IR-3 (1) AUTOMATED TESTING • IR-3 (1)

IR-3 (2) COORDINATION WITH RELATED PLANS • IR-3 (2)

IR-04 INCIDENT HANDLING • IR-04

P1 LOW IR-4 (1) AUTOMATED INCIDENT HANDLING PROCESSES • IR-4 (1)

IR-4 (2) DYNAMIC RECONFIGURATION • IR-4 (2)

IR-4 (3) CONTINUITY OF OPERATIONS • IR-4 (3)

IR-4 (4) INFORMATION CORRELATION • IR-4 (4)

IR-4 (5) AUTOMATIC DISABLING OF INFORMATION SYSTEM • IR-4 (5)

IR-4 (6) INSIDER THREATS - SPECIFIC CAPABILITIES • IR-4 (6)

IR-4 (7) INSIDER THREATS - INTRA-ORGANIZATION COORDINATION • IR-4 (7)






Cou

nt

IR-04 P1 LOW IR-4 (8) CORRELATION WITH EXTERNAL ORGANIZATIONS • IR-4 (8)

IR-4 (9) DYNAMIC RESPONSE CAPABILITY • IR-4 (9)

IR-4 (10) SUPPLY CHAIN COORDINATION • IR-4 (10)

IR-05 INCIDENT MONITORING • IR-05

P1 LOW IR-5 (1) AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS IR-5 (1)

IR-06 INCIDENT REPORTING • IR-06

P1 LOW IR-6 (1) AUTOMATED REPORTING • IR-6 (1)

IR-6 (2) VULNERABILITIES RELATED TO INCIDENTS • IR-6 (2)

IR-6 (3) COORDINATION WITH SUPPLY CHAIN • IR-6 (3)

IR-07 INCIDENT RESPONSE ASSISTANCE • IR-07

P2 LOW IR-7 (1) AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT • IR-7 (1)

IR-7 (2) COORDINATION WITH EXTERNAL PROVIDERS • IR-7 (2)

IR-08 INCIDENT RESPONSE PLAN • IR-08

P1 LOW •

IR-09 INFORMATION SPILLAGE RESPONSE • IR-09

P0 IR-9 (1) RESPONSIBLE PERSONNEL • IR-9 (1)

IR-9 (2) TRAINING • IR-9 (2)

IR-9 (3) POST-SPILL OPERATIONS • IR-9 (3)

IR-9 (4) EXPOSURE TO UNAUTHORIZED PERSONNEL • IR-9 (4)

IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM • IR-10

P0 •

MAINTENANCE MAINTENANCE

MA-01 SYSTEM MAINTENANCE POLICY AND PROCEDURES MA-01

P1 LOW

MA-02 CONTROLLED MAINTENANCE MA-02

P2 LOW MA-2 (1) RECORD CONTENT MA-2 (1)

MA-2 (2) AUTOMATED MAINTENANCE ACTIVITIES MA-2 (2)

MA-03 MAINTENANCE TOOLS MA-03

P3 MODERATE MA-3 (1) INSPECT TOOLS MA-3 (1)

MA-3 (2) INSPECT MEDIA MA-3 (2)

MA-3 (3) PREVENT UNAUTHORIZED REMOVAL MA-3 (3)

MA-3 (4) RESTRICTED TOOL USE MA-3 (4)

MA-04 NONLOCAL MAINTENANCE • • MA-04

P2 LOW MA-4 (1) AUDITING AND REVIEW • • MA-4 (1)

MA-4 (2) DOCUMENT NONLOCAL MAINTENANCE • • MA-4 (2)

MA-4 (3) COMPARABLE SECURITY / SANITIZATION • • MA-4 (3)

MA-4 (4) AUTHENTICATION / SEPARATION OF MAINTENANCE SESSIONS • • MA-4 (4)

MA-4 (5) APPROVALS AND NOTIFICATIONS • • MA-4 (5)

MA-4 (6) CRYPTOGRAPHIC PROTECTION • • MA-4 (6)

MA-4 (7) REMOTE DISCONNECT VERIFICATION • • MA-4 (7)






Cou

nt

MA-04 P2 LOW

MA-05 MAINTENANCE PERSONNEL MA-05

P2 LOW MA-5 (1) INDIVIDUALS WITHOUT APPROPRIATE ACCESS MA-5 (1)

MA-5 (2) SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS MA-5 (2)

MA-5 (3) CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS MA-5 (3)

MA-5 (4) FOREIGN NATIONALS MA-5 (4)

MA-5 (5) NONSYSTEM-RELATED MAINTENANCE MA-5 (5)

MA-06 TIMELY MAINTENANCE MA-06

P2 MODERATE MA-6 (1) PREVENTIVE MAINTENANCE MA-6 (1)

MA-6 (2) PREDICTIVE MAINTENANCE MA-6 (2)

MA-6 (3) AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE MA-6 (3)

MEDIA PROTECTION MEDIA PROTECTION

MP-01 MEDIA PROTECTION POLICY AND PROCEDURES MP-01

P1 LOW

MP-02 MEDIA ACCESS MP-02

P1 LOW MP-2 (1) AUTOMATED RESTRICTED ACCESS MP-2 (1)

MP-2 (2) CRYPTOGRAPHIC PROTECTION MP-2 (2)

MP-03 MEDIA MARKING • MP-03

P2 MODERATE •

MP-04 MEDIA STORAGE • MP-04

P1 MODERATE MP-4 (1) CRYPTOGRAPHIC PROTECTION • MP-4 (1)

MP-4 (2) AUTOMATED RESTRICTED ACCESS • MP-4 (2)

MP-05 MEDIA TRANSPORT • MP-05

P1 MODERATE MP-5 (1) PROTECTION OUTSIDE OF CONTROLLED AREAS • MP-5 (1)

MP-5 (2) DOCUMENTATION OF ACTIVITIES • MP-5 (2)

MP-5 (3) CUSTODIANS • MP-5 (3)

MP-5 (4) CRYPTOGRAPHIC PROTECTION • MP-5 (4)

MP-06 MEDIA SANITIZATION MP-06

P1 LOW MP-6 (1) REVIEW / APPROVE / TRACK / DOCUMENT / VERIFY MP-6 (1)

MP-6 (2) EQUIPMENT TESTING MP-6 (2)

MP-6 (3) NONDESTRUCTIVE TECHNIQUES MP-6 (3)

MP-6 (4) CONTROLLED UNCLASSIFIED INFORMATION MP-6 (4)

MP-6 (5) CLASSIFIED INFORMATION MP-6 (5)

MP-6 (6) MEDIA DESTRUCTION MP-6 (6)

MP-6 (7) DUAL AUTHORIZATION MP-6 (7)

MP-6 (8) REMOTE PURGING / WIPING OF INFORMATION MP-6 (8)

MP-07 MEDIA USE MP-07

P1 LOW MP-7 (1) PROHIBIT USE WITHOUT OWNER MP-7 (1)

MP-7 (2) PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA MP-7 (2)

MP-08 MEDIA DOWNGRADING MP-08






Cou

nt

MP-08 P0 MP-8 (1) DOCUMENTATION OF PROCESS MP-8 (1)

MP-8 (2) EQUIPMENT TESTING MP-8 (2)

MP-8 (3) CONTROLLED UNCLASSIFIED INFORMATION MP-8 (3)

MP-8 (4) CLASSIFIED INFORMATION MP-8 (4)

PERSONNEL SECURITY PERSONNEL SECURITY

PS-01 PERSONNEL SECURITY POLICY AND PROCEDURES PS-01

P1 LOW

PS-02 POSITION RISK DESIGNATION PS-02

P1 LOW

PS-03 PERSONNEL SCREENING PS-03

P1 LOW PS-3 (1) CLASSIFIED INFORMATION PS-3 (1)

PS-3 (2) FORMAL INDOCTRINATION PS-3 (2)

PS-3 (3) INFORMATION WITH SPECIAL PROTECTION MEASURES PS-3 (3)

PS-04 PERSONNEL TERMINATION PS-04

P1 LOW PS-4 (1) POST-EMPLOYMENT REQUIREMENTS PS-4 (1)

PS-4 (2) AUTOMATED NOTIFICATION PS-4 (2)

PS-05 PERSONNEL TRANSFER PS-05

P2 LOW

PS-06 ACCESS AGREEMENTS PS-06

P3 LOW PS-6 (1) INFORMATION REQUIRING SPECIAL PROTECTION PS-6 (1)

PS-6 (2) CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION PS-6 (2)

PS-6 (3) POST-EMPLOYMENT REQUIREMENTS PS-6 (3)

PS-07 THIRD-PARTY PERSONNEL SECURITY PS-07

P1 LOW

PS-08 PERSONNEL SANCTIONS PS-08

P3 LOW

PHYSICAL AND ENVIRONMENTAL PROTECTION PHYSICAL AND ENVIRONMENTAL PROTECTION

PE-01 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES PE-01

P1 LOW

PE-02 PHYSICAL ACCESS AUTHORIZATIONS PE-02

P1 LOW PE-2 (1) ACCESS BY POSITION / ROLE PE-2 (1)

PE-2 (2) TWO FORMS OF IDENTIFICATION PE-2 (2)

PE-2 (3) RESTRICT UNESCORTED ACCESS PE-2 (3)

PE-03 PHYSICAL ACCESS CONTROL PE-03

P1 LOW PE-3 (1) INFORMATION SYSTEM ACCESS PE-3 (1)

PE-3 (2) FACILITY / INFORMATION SYSTEM BOUNDARIES PE-3 (2)

PE-3 (3) CONTINUOUS GUARDS / ALARMS / MONITORING PE-3 (3)

PE-3 (4) LOCKABLE CASINGS PE-3 (4)

PE-3 (5) TAMPER PROTECTION PE-3 (5)

PE-3 (6) FACILITY PENETRATION TESTING PE-3 (6)






Cou

nt

PE-04 ACCESS CONTROL FOR TRANSMISSION MEDIUM PE-04

P1 MODERATE

PE-05 ACCESS CONTROL FOR OUTPUT DEVICES PE-05

P2 MODERATE PE-5 (1) ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS PE-5 (1)

PE-5 (2) ACCESS TO OUTPUT BY INDIVIDUAL IDENTITY PE-5 (2)

PE-5 (3) MARKING OUTPUT DEVICES PE-5 (3)

PE-06 MONITORING PHYSICAL ACCESS PE-06

P1 LOW PE-6 (1) INTRUSION ALARMS / SURVEILLANCE EQUIPMENT PE-6 (1)

PE-6 (2) AUTOMATED INTRUSION RECOGNITION / RESPONSES PE-6 (2)

PE-6 (3) VIDEO SURVEILLANCE PE-6 (3)

PE-6 (4) MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS PE-6 (4)

PE-07 VISITOR CONTROL PE-07

PE-08 VISITOR ACCESS RECORDS PE-08

P3 LOW PE-8 (1) AUTOMATED RECORDS MAINTENANCE / REVIEW PE-8 (1)

PE-8 (2) PHYSICAL ACCESS RECORDS PE-8 (2)

PE-09 POWER EQUIPMENT AND CABLING PE-09

P1 MODERATE PE-9 (1) REDUNDANT CABLING PE-9 (1)

PE-9 (2) AUTOMATIC VOLTAGE CONTROLS PE-9 (2)

PE-10 EMERGENCY SHUTOFF PE-10

P1 MODERATE PE-10 (1) ACCIDENTAL / UNAUTHORIZED ACTIVATION PE-10 (1)

PE-11 EMERGENCY POWER PE-11

P1 MODERATE PE-11 (1) LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY PE-11 (1)

PE-11 (2) LONG-TERM ALTERNATE POWER SUPPLY - SELF-CONTAINED PE-11 (2)

PE-12 EMERGENCY LIGHTING PE-12

P1 LOW PE-12 (1) ESSENTIAL MISSIONS / BUSINESS FUNCTIONS PE-12 (1)

PE-13 FIRE PROTECTION PE-13

P1 LOW PE-13 (1) DETECTION DEVICES / SYSTEMS PE-13 (1)

PE-13 (2) SUPPRESSION DEVICES / SYSTEMS PE-13 (2)

PE-13 (3) AUTOMATIC FIRE SUPPRESSION PE-13 (3)

PE-13 (4) INSPECTIONS PE-13 (4)

PE-14 TEMPERATURE AND HUMIDITY CONTROLS PE-14

P1 LOW PE-14 (1) AUTOMATIC CONTROLS PE-14 (1)

PE-14 (2) MONITORING WITH ALARMS / NOTIFICATIONS PE-14 (2)

PE-15 WATER DAMAGE PROTECTION PE-15

P1 LOW PE-15 (1) AUTOMATION SUPPORT PE-15 (1)

PE-16 DELIVERY AND REMOVAL PE-16

P2 LOW






Cou

nt

PE-17 ALTERNATE WORK SITE PE-17

P2 MODERATE

PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS PE-18

P3 HIGH PE-18 (1) FACILITY SITE PE-18 (1)

PE-19 INFORMATION LEAKAGE PE-19

P0 PE-19 (1) NATIONAL EMISSIONS / TEMPEST POLICIES AND PROCEDURES PE-19 (1)

PE-20 ASSET MONITORING AND TRACKING PE-20

P0

PLANNING PLANNING

PL-01 SECURITY PLANNING POLICY AND PROCEDURES PL-01

P1 LOW

PL-02 SYSTEM SECURITY PLAN PL-02

P1 LOW PL-2 (1) CONCEPT OF OPERATIONS PL-2 (1)

PL-2 (2) FUNCTIONAL ARCHITECTURE PL-2 (2)

PL-2 (3) PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES PL-2 (3)

PL-03 SYSTEM SECURITY PLAN UPDATE PL-03

PL-04 RULES OF BEHAVIOR PL-04

P2 LOW PL-4 (1) SOCIAL MEDIA AND NETWORKING RESTRICTIONS PL-4 (1)

PL-05 PRIVACY IMPACT ASSESSMENT PL-05

PL-06 SECURITY-RELATED ACTIVITY PLANNING PL-06

PL-07 SECURITY CONCEPT OF OPERATIONS PL-07

P0

PL-08 INFORMATION SECURITY ARCHITECTURE PL-08

P1 MODERATE PL-8 (1) DEFENSE-IN-DEPTH PL-8 (1)

PL-8 (2) SUPPLIER DIVERSITY PL-8 (2)

PL-09 CENTRAL MANAGEMENT PL-09

P0

Program Management Program Management

PM-01 INFORMATION SECURITY PROGRAM PLAN PM-01

PM-02 SENIOR INFORMATION SECURITY OFFICER PM-02

PM-03 INFORMATION SECURITY RESOURCES PM-03

PM-04 PLAN OF ACTION AND MILESTONES PROCESS PM-04

PM-05 INFORMATION SYSTEM INVENTORY • • PM-05






Cou

nt

PM-06 INFORMATION SECURITY MEASURES OF PERFORMANCE • PM-06

PM-07 ENTERPRISE ARCHITECTURE PM-07

PM-08 CRITICAL INFRASTRUCTURE PLAN PM-08

PM-09 RISK MANAGEMENT STRATEGY PM-09

PM-10 SECURITY AUTHORIZATION PROCESS PM-10

PM-11 MISSION/BUSINESS PROCESS DEFINITION PM-11

PM-12 INSIDER THREAT PROGRAM PM-12

PM-13 INFORMATION SECURITY WORKFORCE • PM-13

PM-14 TESTING, TRAINING, AND MONITORING • • PM-14

PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS PM-15

PM-16 THREAT AWARENESS PROGRAM • • PM-16

RISK ASSESSMENT RISK ASSESSMENT

RA-01 RISK ASSESSMENT POLICY AND PROCEDURES RA-01

P1 LOW

RA-02 SECURITY CATEGORIZATION • RA-02

P1 LOW •

RA-03 RISK ASSESSMENT RA-03

P1 LOW

RA-04 RISK ASSESSMENT UPDATE RA-04

RA-05 VULNERABILITY SCANNING • • • RA-05

P1 LOW RA-5 (1) UPDATE TOOL CAPABILITY • • • RA-5 (1)

RA-5 (2) UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED • • • RA-5 (2)

RA-5 (3) BREADTH / DEPTH OF COVERAGE • • • RA-5 (3)

RA-5 (4) DISCOVERABLE INFORMATION • • • RA-5 (4)

RA-5 (5) PRIVILEGED ACCESS • • • RA-5 (5)

RA-5 (6) AUTOMATED TREND ANALYSES • • • RA-5 (6)

RA-5 (7) AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS • • • RA-5 (7)

RA-5 (8) REVIEW HISTORIC AUDIT LOGS • • • RA-5 (8)

RA-5 (9) PENETRATION TESTING AND ANALYSES • • • RA-5 (9)

RA-5 (10) CORRELATE SCANNING INFORMATION • • • RA-5 (10)

RA-06 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY • RA-06

P0 •

SECURITY ASSESSMENT AND AUTHORIZATION SECURITY ASSESSMENT AND AUTHORIZATION






Cou

nt

CA-01 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES CA-01

P1 LOW

CA-02 SECURITY ASSESSMENTS • • CA-02

P2 LOW CA-2 (1) INDEPENDENT ASSESSORS • • CA-2 (1)

CA-2 (2) SPECIALIZED ASSESSMENTS • • CA-2 (2)

CA-2 (3) EXTERNAL ORGANIZATIONS • • CA-2 (3)

CA-03 SYSTEM INTERCONNECTIONS • • • • CA-03

P1 LOW CA-3 (1) UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS • • • • CA-3 (1)

CA-3 (2) CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS • • • • CA-3 (2)

CA-3 (3) UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS • • • • CA-3 (3)

CA-3 (4) CONNECTIONS TO PUBLIC NETWORKS • • • • CA-3 (4)

CA-3 (5) RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS • • • • CA-3 (5)

CA-04 SECURITY CERTIFICATION CA-04

CA-05 PLAN OF ACTION AND MILESTONES • CA-05

P3 LOW CA-5 (1) AUTOMATION SUPPORT FOR ACCURACY / CURRENCY • CA-5 (1)

CA-06 SECURITY AUTHORIZATION • CA-06

P2 LOW •

CA-07 CONTINUOUS MONITORING • • • • • • • • • • • • • • CA-07

P2 LOW CA-7 (1) INDEPENDENT ASSESSMENT • • • • • • • • • • • • • • CA-7 (1)

CA-7 (2) TYPES OF ASSESSMENTS • • • • • • • • • • • • • • CA-7 (2)

CA-7 (3) TREND ANALYSES • • • • • • • • • • • • • • CA-7 (3)

CA-08 PENETRATION TESTING • CA-08

P2 HIGH CA-8 (1) INDEPENDENT PENETRATION AGENT OR TEAM • CA-8 (1)

CA-8 (2) RED TEAM EXERCISES • CA-8 (2)

CA-09 INTERNAL SYSTEM CONNECTIONS • • • • • CA-09

P2 LOW CA-9 (1) SECURITY COMPLIANCE CHECKS • • • • • CA-9 (1)

SYSTEM AND COMMUNICATIONS PROTECTION SYSTEM AND COMMUNICATIONS PROTECTION

SC-01 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES SC-01

P1 LOW

SC-02 APPLICATION PARTITIONING SC-02

P1 MODERATE SC-2 (1) INTERFACES FOR NON-PRIVILEGED USERS SC-2 (1)

SC-03 SECURITY FUNCTION ISOLATION SC-03

P1 HIGH SC-3 (1) HARDWARE SEPARATION SC-3 (1)

SC-3 (2) ACCESS / FLOW CONTROL FUNCTIONS SC-3 (2)

SC-3 (3) MINIMIZE NONSECURITY FUNCTIONALITY SC-3 (3)

SC-3 (4) MODULE COUPLING AND COHESIVENESS SC-3 (4)

SC-3 (5) LAYERED STRUCTURES SC-3 (5)

SC-04 INFORMATION IN SHARED RESOURCES SC-04






Cou

nt

SC-04 P1 MODERATE SC-4 (1) SECURITY LEVELS SC-4 (1)

SC-4 (2) PERIODS PROCESSING SC-4 (2)

SC-05 DENIAL OF SERVICE PROTECTION SC-05

P1 LOW SC-5 (1) RESTRICT INTERNAL USERS SC-5 (1)

SC-5 (2) EXCESS CAPACITY / BANDWIDTH / REDUNDANCY SC-5 (2)

SC-5 (3) DETECTION / MONITORING SC-5 (3)

SC-06 RESOURCE AVAILABILITY SC-06

P0

SC-07 BOUNDARY PROTECTION • SC-07

P1 LOW SC-7 (1) PHYSICALLY SEPARATED SUBNETWORKS • SC-7 (1)

SC-7 (2) PUBLIC ACCESS • SC-7 (2)

SC-7 (3) ACCESS POINTS • SC-7 (3)

SC-7 (4) EXTERNAL TELECOMMUNICATIONS SERVICES • SC-7 (4)

SC-7 (5) DENY BY DEFAULT / ALLOW BY EXCEPTION • SC-7 (5)

SC-7 (6) RESPONSE TO RECOGNIZED FAILURES • SC-7 (6)

SC-7 (7) PREVENT SPLIT TUNNELING FOR REMOTE DEVICES • SC-7 (7)

SC-7 (8) ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS • SC-7 (8)

SC-7 (9) RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC • SC-7 (9)

SC-7 (10) PREVENT UNAUTHORIZED EXFILTRATION • SC-7 (10)

SC-7 (11) RESTRICT INCOMING COMMUNICATIONS TRAFFIC • SC-7 (11)

SC-7 (12) HOST-BASED PROTECTION • SC-7 (12)

SC-7 (13) ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS • SC-7 (13)

SC-7 (14) PROTECTS AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS • SC-7 (14)

SC-7 (15) ROUTE PRIVILEGED NETWORK ACCESSES • SC-7 (15)

SC-7 (16) PREVENT DISCOVERY OF COMPONENTS / DEVICES • SC-7 (16)

SC-7 (17) AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS • SC-7 (17)

SC-7 (18) FAIL SECURE • SC-7 (18)

SC-7 (19) BLOCKS COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS • SC-7 (19)

SC-7 (20) DYNAMIC ISOLATION / SEGREGATION • SC-7 (20)

SC-7 (21) ISOLATION OF INFORMATION SYSTEM COMPONENTS • SC-7 (21)

SC-7 (22) SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS • SC-7 (22)

SC-7 (23) DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE • SC-7 (23)

SC-08 TRANSMISSION CONFIDENTIALITY AND INTEGRITY • • • SC-08

P1 MODERATE SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION • • • SC-8 (1)

SC-8 (2) PRE / POST TRANSMISSION HANDLING • • • SC-8 (2)

SC-8 (3) CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS • • • SC-8 (3)

SC-8 (4) CONCEAL / RANDOMIZE COMMUNICATIONS • • • SC-8 (4)

SC-09 TRANSMISSION CONFIDENTIALITY SC-09

SC-10 NETWORK DISCONNECT SC-10

P2 MODERATE

SC-11 TRUSTED PATH SC-11

P0 SC-11 (1) LOGICAL ISOLATION SC-11 (1)






Cou

nt

SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT SC-12

P1 LOW SC-12 (1) AVAILABILITY SC-12 (1)

SC-12 (2) SYMMETRIC KEYS SC-12 (2)

SC-12 (3) ASYMMETRIC KEYS SC-12 (3)

SC-12 (4) PKI CERTIFICATES SC-12 (4)

SC-12 (5) PKI CERTIFICATES / HARDWARE TOKENS SC-12 (5)

SC-13 CRYPTOGRAPHIC PROTECTION SC-13

P1 LOW SC-13 (1) FIPS-VALIDATED CRYPTOGRAPHY SC-13 (1)

SC-13 (2) NSA-APPROVED CRYPTOGRAPHY SC-13 (2)

SC-13 (3) INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS SC-13 (3)

SC-13 (4) DIGITAL SIGNATURES SC-13 (4)

SC-14 PUBLIC ACCESS PROTECTIONS SC-14

SC-15 COLLABORATIVE COMPUTING DEVICES • SC-15

P1 LOW SC-15 (1) PHYSICAL DISCONNECT • SC-15 (1)

SC-15 (2) BLOCKING INBOUND / OUTBOUND COMMUNICATIONS TRAFFIC • SC-15 (2)

SC-15 (3) DISABLING / REMOVAL IN SECURE WORK AREAS • SC-15 (3)

SC-15 (4) EXPLICITLY INDICATE CURRENT PARTICIPANTS • SC-15 (4)

SC-16 TRANSMISSION OF SECURITY ATTRIBUTES • SC-16

P0 SC-16 (1) INTEGRITY VALIDATION • SC-16 (1)

SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES • • SC-17

P1 MODERATE • •

SC-18 MOBILE CODE • SC-18

P2 MODERATE SC-18 (1) IDENTIFY UNACCEPTABLE CODE / TAKE CORRECTIVE ACTIONS • SC-18 (1)

SC-18 (2) ACQUISITION / DEVELOPMENT / USE • SC-18 (2)

SC-18 (3) PREVENT DOWNLOADING / EXECUTION • SC-18 (3)

SC-18 (4) PREVENT AUTOMATIC EXECUTION • SC-18 (4)

SC-18 (5) ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS • SC-18 (5)

SC-19 VOICE OVER INTERNET PROTOCOL SC-19

P1 MODERATE

SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) • • SC-20

P1 LOW SC-20 (1) CHILD SUBSPACES • • SC-20 (1)

SC-20 (2) DATA ORIGIN / INTEGRITY • • SC-20 (2)

SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) • • SC-21

P1 LOW SC-21 (1) DATA ORIGIN / INTEGRITY • • SC-21 (1)

SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE • • SC-22

P1 LOW • •

SC-23 SESSION AUTHENTICITY • SC-23

P1 MODERATE SC-23 (1) INVALIDATE SESSION IDENTIFIERS AT LOGOUT • SC-23 (1)

SC-23 (2) USER-INITIATED LOGOUTS / MESSAGE DISPLAYS • SC-23 (2)

SC-23 (3) UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION • SC-23 (3)






Cou

nt

SC-23 P1 MODERATE SC-23 (4) UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION • SC-23 (4)

SC-23 (5) ALLOWED CERTIFICATE AUTHORITIES • SC-23 (5)

SC-24 FAIL IN KNOWN STATE • SC-24

P1 HIGH •

SC-25 THIN NODES SC-25

P0

SC-26 HONEYPOTS SC-26

P0 SC-26 (1) DETECTION OF MALICIOUS CODE SC-26 (1)

SC-27 PLATFORM-INDEPENDENT APPLICATIONS SC-27

P0

SC-28 PROTECTION OF INFORMATION AT REST • SC-28

P1 MODERATE SC-28 (1) CRYPTOGRAPHIC PROTECTION • SC-28 (1)

SC-28 (2) OFF-LINE STORAGE • SC-28 (2)

SC-29 HETEROGENEITY SC-29

P0 SC-29 (1) VIRTUALIZATION TECHNIQUES SC-29 (1)

SC-30 CONCEALMENT AND MISDIRECTION SC-30

P0 SC-30 (1) VIRTUALIZATION TECHNIQUES SC-30 (1)

SC-30 (2) RANDOMNESS SC-30 (2)

SC-30 (3) CHANGE PROCESSING / STORAGE LOCATIONS SC-30 (3)

SC-30 (4) MISLEADING INFORMATION SC-30 (4)

SC-30 (5) CONCEALMENT OF SYSTEM COMPONENTS SC-30 (5)

SC-31 COVERT CHANNEL ANALYSIS • SC-31

P0 SC-31 (1) TEST COVERT CHANNELS FOR EXPLOITABILITY • SC-31 (1)

SC-31 (2) MAXIMUM BANDWIDTH • SC-31 (2)

SC-31 (3) MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS • SC-31 (3)

SC-32 INFORMATION SYSTEM PARTITIONING • SC-32

P0 •

SC-33 TRANSMISSION PREPARATION INTEGRITY SC-33

SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS • • • SC-34

P0 SC-34 (1) NO WRITABLE STORAGE • • • SC-34 (1)

SC-34 (2) INTEGRITY PROTECTION / READ-ONLY MEDIA • • • SC-34 (2)

SC-34 (3) HARDWARE-BASED PROTECTION • • • SC-34 (3)

SC-35 HONEYCLIENTS SC-35

P0

SC-36 DISTRIBUTED PROCESSING AND STORAGE SC-36

P0 SC-36 (1) POLLING TECHNIQUES SC-36 (1)

SC-37 OUT-OF-BAND CHANNELS • SC-37

P0 SC-37 (1) ENSURE DELIVERY / TRANSMISSION • SC-37 (1)






Cou

nt

SC-38 OPERATIONS SECURITY SC-38

P0

SC-39 PROCESS ISOLATION • • SC-39

P1 LOW SC-39 (1) HARDWARE SEPARATION • • SC-39 (1)

SC-39 (2) THREAD ISOLATION • • SC-39 (2)

SC-40 WIRELESS LINK PROTECTION • SC-40

P0 SC-40 (1) ELECTROMAGNETIC INTERFERENCE • SC-40 (1)

SC-40 (2) REDUCE DETECTION POTENTIAL • SC-40 (2)

SC-40 (3) IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION • SC-40 (3)

SC-40 (4) SIGNAL PARAMETER IDENTIFICATION • SC-40 (4)

SC-41 PORT AND I/O DEVICE ACCESS • • SC-41

P0 • •

SC-42 SENSOR CAPABILITY AND DATA SC-42

P0 SC-42 (1) REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES SC-42 (1)

SC-42 (2) AUTHORIZED USE SC-42 (2)

SC-42 (3) PROHIBIT USE OF DEVICES SC-42 (3)

SC-43 USAGE RESTRICTIONS SC-43

P0

SC-44 DETONATION CHAMBERS • SC-44

P0 •

SYSTEM AND INFORMATION INTEGRITY SYSTEM AND INFORMATION INTEGRITY

SI-01 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES SI-01

P1 LOW

SI-02 FLAW REMEDIATION • SI-02

P1 LOW SI-2 (1) CENTRAL MANAGEMENT • SI-2 (1)

SI-2 (2) AUTOMATED FLAW REMEDIATION STATUS • SI-2 (2)

SI-2 (3) TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS • SI-2 (3)

SI-2 (4) AUTOMATED PATCH MANAGEMENT TOOLS • SI-2 (4)

SI-2 (5) AUTOMATIC SOFTWARE / FIRMWARE UPDATES • SI-2 (5)

SI-2 (6) REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE / FIRMWARE • SI-2 (6)

SI-03 MALICIOUS CODE PROTECTION • SI-03

P1 LOW SI-3 (1) CENTRAL MANAGEMENT • SI-3 (1)

SI-3 (2) AUTOMATIC UPDATES • SI-3 (2)

SI-3 (3) NON-PRIVILEGED USERS • SI-3 (3)

SI-3 (4) UPDATES ONLY BY PRIVILEGED USERS • SI-3 (4)

SI-3 (5) PORTABLE STORAGE DEVICES • SI-3 (5)

SI-3 (6) TESTING / VERIFICATION • SI-3 (6)

SI-3 (7) NONSIGNATURE-BASED DETECTION • SI-3 (7)

SI-3 (8) DETECT UNAUTHORIZED COMMANDS • SI-3 (8)

SI-3 (9) AUTHENTICATE REMOTE COMMANDS • SI-3 (9)

SI-3 (10) MALICIOUS CODE ANALYSIS • SI-3 (10)

SI-04 INFORMATION SYSTEM MONITORING • • • • • • • • • • • • • • SI-04






Cou

nt

SI-04 P1 LOW SI-4 (1) SYSTEM-WIDE INTRUSION DETECTION SYSTEM • • • • • • • • • • • • • • SI-4 (1)

SI-4 (2) AUTOMATED TOOLS FOR REAL-TIME ANALYSIS • • • • • • • • • • • • • • SI-4 (2)

SI-4 (3) AUTOMATED TOOL INTEGRATION • • • • • • • • • • • • • • SI-4 (3)

SI-4 (4) INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC • • • • • • • • • • • • • • SI-4 (4)

SI-4 (5) SYSTEM-GENERATED ALERTS • • • • • • • • • • • • • • SI-4 (5)

SI-4 (6) RESTRICT NON-PRIVILEGED USERS • • • • • • • • • • • • • • SI-4 (6)

SI-4 (7) AUTOMATED RESPONSE TO SUSPICIOUS EVENTS • • • • • • • • • • • • • • SI-4 (7)

SI-4 (8) PROTECTION OF MONITORING INFORMATION • • • • • • • • • • • • • • SI-4 (8)

SI-4 (9) TESTING OF MONITORING TOOLS • • • • • • • • • • • • • • SI-4 (9)

SI-4 (10) VISIBILITY OF ENCRYPTED COMMUNICATIONS • • • • • • • • • • • • • • SI-4 (10)

SI-4 (11) ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES • • • • • • • • • • • • • • SI-4 (11)

SI-4 (12) AUTOMATED ALERTS • • • • • • • • • • • • • • SI-4 (12)

SI-4 (13) ANALYZE TRAFFIC / EVENT PATTERNS • • • • • • • • • • • • • • SI-4 (13)

SI-4 (14) WIRELESS INTRUSION DETECTION • • • • • • • • • • • • • • SI-4 (14)

SI-4 (15) WIRELESS TO WIRELINE COMMUNICATIONS • • • • • • • • • • • • • • SI-4 (15)

SI-4 (16) CORRELATE MONITORING INFORMATION • • • • • • • • • • • • • • SI-4 (16)

SI-4 (17) INTEGRATED SITUATIONAL AWARENESS • • • • • • • • • • • • • • SI-4 (17)

SI-4 (18) ANALYZE TRAFFIC / COVERT EXFILTRATION • • • • • • • • • • • • • • SI-4 (18)

SI-4 (19) INDIVIDUALS POSING GREATER RISK • • • • • • • • • • • • • • SI-4 (19)

SI-4 (20) PRIVILEGED USER • • • • • • • • • • • • • • SI-4 (20)

SI-4 (21) PROBATIONARY PERIODS • • • • • • • • • • • • • • SI-4 (21)

SI-4 (22) UNAUTHORIZED NETWORK SERVICES • • • • • • • • • • • • • • SI-4 (22)

SI-4 (23) HOST-BASED DEVICES • • • • • • • • • • • • • • SI-4 (23)

SI-4 (24) INDICATORS OF COMPROMISE • • • • • • • • • • • • • • SI-4 (24)

SI-05 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES SI-05

P1 LOW SI-5 (1) AUTOMATED ALERTS AND ADVISORIES SI-5 (1)

SI-06 SECURITY FUNCTION VERIFICATION • SI-06

P1 HIGH SI-6 (1) NOTIFICATION OF FAILED SECURITY TESTS SI-6 (1)

SI-6 (2) AUTOMATION SUPPORT FOR DISTRIBUTED TESTING SI-6 (2)

SI-6 (3) REPORT VERIFICATION RESULTS SI-6 (3)

SI-07 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY • SI-07

P1 MODERATE SI-7 (1) INTEGRITY CHECKS • SI-7 (1)

SI-7 (2) AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS • SI-7 (2)

SI-7 (3) CENTRALLY-MANAGED INTEGRITY TOOLS • SI-7 (3)

SI-7 (4) TAMPER-EVIDENT PACKAGING • SI-7 (4)

SI-7 (5) AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS • SI-7 (5)

SI-7 (6) CRYPTOGRAPHIC PROTECTION • SI-7 (6)

SI-7 (7) INTEGRATION OF DETECTION AND RESPONSE • SI-7 (7)

SI-7 (8) AUDITING CAPABILITY FOR SIGNIFICANT EVENTS • SI-7 (8)

SI-7 (9) VERIFY BOOT PROCESS • SI-7 (9)

SI-7 (10) PROTECTION OF BOOT FIRMWARE • SI-7 (10)

SI-7 (11) CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES • SI-7 (11)

SI-7 (12) INTEGRITY VERIFICATION • SI-7 (12)

SI-7 (13) CODE EXECUTION IN PROTECTED ENVIRONMENTS • SI-7 (13)

SI-7 (14) BINARY OR MACHINE EXECUTABLE CODE • SI-7 (14)






Cou

nt

SI-07 P1 MODERATE SI-7 (15) CODE AUTHENTICATION • SI-7 (15)

SI-7 (16) TIME LIMIT ON PROCESS EXECUTION W/O SUPERVISION • SI-7 (16)

SI-08 SPAM PROTECTION • SI-08

P2 MODERATE SI-8 (1) CENTRAL MANAGEMENT • SI-8 (1)

SI-8 (2) AUTOMATIC UPDATES • SI-8 (2)

SI-8 (3) CONTINUOUS LEARNING CAPABILITY • SI-8 (3)

SI-09 INFORMATION INPUT RESTRICTIONS SI-09

SI-10 INFORMATION INPUT VALIDATION • SI-10

P1 MODERATE SI-10 (1) MANUAL OVERRIDE CAPABILITY • SI-10 (1)

SI-10 (2) REVIEW / RESOLUTION OF ERRORS • SI-10 (2)

SI-10 (3) PREDICTABLE BEHAVIOR • SI-10 (3)

SI-10 (4) REVIEW / TIMING INTERACTIONS • SI-10 (4)

SI-10 (5) RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS • SI-10 (5)

SI-11 ERROR HANDLING • SI-11

P2 MODERATE •

SI-12 INFORMATION HANDLING AND RETENTION SI-12

P2 LOW

SI-13 PREDICTABLE FAILURE PREVENTION SI-13

P0 SI-13 (1) TRANSFERRING COMPONENT RESPONSIBILITIES SI-13 (1)

SI-13 (2) TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION SI-13 (2)

SI-13 (3) MANUAL TRANSFER BETWEEN COMPONENTS SI-13 (3)

SI-13 (4) STANDBY COMPONENT INSTALLATION / NOTIFICATION SI-13 (4)

SI-13 (5) FAILOVER CAPABILITY SI-13 (5)

SI-14 NON-PERSISTENCE SI-14

P0 SI-14 (1) REFRESH FROM TRUSTED SOURCES SI-14 (1)

SI-15 INFORMATION OUTPUT FILTERING • SI-15

P0 •

SI-16 MEMORY PROTECTION • SI-16

P1 MODERATE •

SI-17 FAIL-SAFE PROCEDURES SI-17

P0

SYSTEM AND SERVICES ACQUISITION SYSTEM AND SERVICES ACQUISITION

SA-01 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES SA-01

P1 LOW

SA-02 ALLOCATION OF RESOURCES SA-02

P1 LOW

SA-03 SYSTEM DEVELOPMENT LIFE CYCLE • SA-03

P1 LOW •

SA-04 ACQUISITION PROCESS • • • SA-04

P1 LOW SA-4 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS • • • SA-4 (1)

SA-4 (2) DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS • • • SA-4 (2)






Cou

nt

SA-04 P1 LOW SA-4 (3) DEVELOPMENT METHODS / TECHNIQUES / PRACTICES • • • SA-4 (3)

SA-4 (4) ASSIGNMENT OF COMPONENTS TO SYSTEMS • • • SA-4 (4)

SA-4 (5) SYSTEM / COMPONENT / SERVICE CONFIGURATIONS • • • SA-4 (5)

SA-4 (6) USE OF INFORMATION ASSURANCE PRODUCTS • • • SA-4 (6)

SA-4 (7) NIAP-APPROVED PROTECTION PROFILES • • • SA-4 (7)

SA-4 (8) CONTINUOUS MONITORING PLAN • • • SA-4 (8)

SA-4 (9) FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE • • • SA-4 (9)

SA-4 (10) USE OF APPROVED PIV PRODUCTS • • • SA-4 (10)

SA-05 INFORMATION SYSTEM DOCUMENTATION SA-05

P2 LOW SA-5 (1) FUNCTIONAL PROPERTIES OF SECURITY CONTROLS SA-5 (1)

SA-5 (2) SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES SA-5 (2)

SA-5 (3) HIGH-LEVEL DESIGN SA-5 (3)

SA-5 (4) LOW-LEVEL DESIGN SA-5 (4)

SA-5 (5) SOURCE CODE SA-5 (5)

SA-06 SOFTWARE USAGE RESTRICTIONS SA-06

SA-07 USER-INSTALLED SOFTWARE SA-07

SA-08 SECURITY ENGINEERING PRINCIPLES • SA-08

P1 MODERATE •

SA-09 EXTERNAL INFORMATION SYSTEM SERVICES • SA-09

P1 LOW SA-9 (1) RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS • SA-9 (1)

SA-9 (2) IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES • SA-9 (2)

SA-9 (3) ESTABLISH / MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS • SA-9 (3)

SA-9 (4) CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS • SA-9 (4)

SA-9 (5) PROCESSING, STORAGE, AND SERVICE LOCATION • SA-9 (5)

SA-10 DEVELOPER CONFIGURATION MANAGEMENT • SA-10

P1 MODERATE SA-10 (1) SOFTWARE / FIRMWARE INTEGRITY VERIFICATION • SA-10 (1)

SA-10 (2) ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES • SA-10 (2)

SA-10 (3) HARDWARE INTEGRITY VERIFICATION • SA-10 (3)

SA-10 (4) TRUSTED GENERATION • SA-10 (4)

SA-10 (5) MAPPING INTEGRITY FOR VERSION CONTROL • SA-10 (5)

SA-10 (6) TRUSTED DISTRIBUTION • SA-10 (6)

SA-11 DEVELOPER SECURITY TESTING AND EVALUATION • • SA-11

P1 MODERATE SA-11 (1) STATIC CODE ANALYSIS • • SA-11 (1)

SA-11 (2) THREAT AND VULNERABILITY ANALYSES • • SA-11 (2)

SA-11 (3) INDEPENDENT VERIFICATION OF ASSESSMENT PLANS / EVIDENCE • • SA-11 (3)

SA-11 (4) MANUAL CODE REVIEWS • • SA-11 (4)

SA-11 (5) PENETRATION TESTING / ANALYSIS • • SA-11 (5)

SA-11 (6) ATTACK SURFACE REVIEWS • • SA-11 (6)

SA-11 (7) VERIFY SCOPE OF TESTING / EVALUATION • • SA-11 (7)

SA-11 (8) DYNAMIC CODE ANALYSIS • • SA-11 (8)

SA-12 SUPPLY CHAIN PROTECTION SA-12






Cou

nt

SA-12 P1 HIGH SA-12 (1) ACQUISITION STRATEGIES / TOOLS / METHODS SA-12 (1)

SA-12 (2) SUPPLIER REVIEWS SA-12 (2)

SA-12 (3) TRUSTED SHIPPING AND WAREHOUSING SA-12 (3)

SA-12 (4) DIVERSITY OF SUPPLIERS SA-12 (4)

SA-12 (5) LIMITATION OF HARM SA-12 (5)

SA-12 (6) MINIMIZING PROCUREMENT TIME SA-12 (6)

SA-12 (7) ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATE SA-12 (7)

SA-12 (8) USE OF ALL-SOURCE INTELLIGENCE SA-12 (8)

SA-12 (9) OPERATIONS SECURITY SA-12 (9)

SA-12 (10) VALIDATE AS GENUINE AND NOT ALTERED SA-12 (10)

SA-12 (11) PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS SA-12 (11)

SA-12 (12) INTER-ORGANIZATIONAL AGREEMENTS SA-12 (12)

SA-12 (13) CRITICAL INFORMATION SYSTEM COMPONENTS SA-12 (13)

SA-12 (14) IDENTITY AND TRACEABILITY SA-12 (14)

SA-12 (15) PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES SA-12 (15)

SA-13 TRUSTWORTHINESS • SA-13

P0 •

SA-14 CRITICALITY ANALYSIS SA-14

P0 SA-14 (1) CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING SA-14 (1)

SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS • SA-15

P2 HIGH SA-15 (1) QUALITY METRICS • SA-15 (1)

SA-15 (2) SECURITY TRACKING TOOLS • SA-15 (2)

SA-15 (3) CRITICALITY ANALYSIS • SA-15 (3)

SA-15 (4) THREAT MODELING / VULNERABILITY ANALYSIS • SA-15 (4)

SA-15 (5) ATTACK SURFACE REDUCTION • SA-15 (5)

SA-15 (6) CONTINUOUS IMPROVEMENT • SA-15 (6)

SA-15 (7) AUTOMATED VULNERABILITY ANALYSIS • SA-15 (7)

SA-15 (8) REUSE OF THREAT / VULNERABILITY INFORMATION • SA-15 (8)

SA-15 (9) USE OF LIVE DATA • SA-15 (9)

SA-15 (10) INCIDENT RESPONSE PLAN • SA-15 (10)

SA-15 (11) ARCHIVE INFORMATION SYSTEM / COMPONENT • SA-15 (11)

SA-16 DEVELOPER-PROVIDED TRAINING • • SA-16

P2 HIGH • •

SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN • • SA-17

P1 HIGH SA-17 (1) FORMAL POLICY MODEL • • SA-17 (1)

SA-17 (2) SECURITY-RELEVANT COMPONENTS • • SA-17 (2)

SA-17 (3) FORMAL CORRESPONDENCE • • SA-17 (3)

SA-17 (4) INFORMAL CORRESPONDENCE • • SA-17 (4)

SA-17 (5) CONCEPTUALLY SIMPLE DESIGN • • SA-17 (5)

SA-17 (6) STRUCTURE FOR TESTING • • SA-17 (6)

SA-17 (7) STRUCTURE FOR LEAST PRIVILEGE • • SA-17 (7)

SA-18 TAMPER RESISTANCE AND DETECTION • SA-18

P0 SA-18 (1) MULTIPLE PHASES OF SDLC • SA-18 (1)

SA-18 (2) INSPECTION OF INFORMATION SYSTEMS, COMPONENTS, OR DEVICES • SA-18 (2)






Cou

nt

SA-18 P0

SA-19 COMPONENT AUTHENTICITY SA-19

P0 SA-19 (1) ANTI-COUNTERFEIT TRAINING SA-19 (1)

SA-19 (2) CONFIGURATION CONTROL FOR COMPONENT SERVICE / REPAIR SA-19 (2)

SA-19 (3) COMPONENT DISPOSAL SA-19 (3)

SA-19 (4) ANTI-COUNTERFEIT SCANNING SA-19 (4)

SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS • SA-20

P0 •

SA-21 DEVELOPER SCREENING • SA-21

P0 SA-21 (1) VALIDATION OF SCREENING • SA-21 (1)

SA-22 UNSUPPORTED SYSTEM COMPONENTS SA-22

P0 SA-22 (1) ALTERNATIVE SOURCES FOR CONTINUED SUPPORT SA-22 (1)


(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804

Technology

privilege ac

procedures ac

individuals ac

access enforcement ac

p1 low ac

p1 moderate ac

privileged accounts

system information ac