NIST SP 800 53r4 Controls

FAMILY
NAME
TITLE
ACCESS CONTROL
AC-1
ACCESS CONTROL POLICY AND

PROCEDURES
ACCESS CONTROL
AC-1a.

PROCEDURES
ACCESS CONTROL
AC-1a.1.

PROCEDURES
ACCESS CONTROL
AC-1a.2.

PROCEDURES
ACCESS CONTROL
AC-1b.

PROCEDURES
ACCESS CONTROL
AC-1b.1.

PROCEDURES
ACCESS CONTROL
AC-1b.2.

PROCEDURES
ACCESS CONTROL
AC-2
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2a.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2b.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2c.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2d.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2e.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2f.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2g.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2h.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2h.1.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2h.2.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2h.3.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2i.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2i.1.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2i.2.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2i.3.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2j.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2k.
ACCOUNT MANAGEMENT
ACCESS CONTROL
AC-2 (1)
AUTOMATED SYSTEM ACCOUNT

MANAGEMENT
ACCESS CONTROL
AC-2 (2)
REMOVAL OF TEMPORARY / EMERGENCY

ACCOUNTS
ACCESS CONTROL
AC-2 (3)
DISABLE INACTIVE ACCOUNTS
ACCESS CONTROL
AC-2 (4)
AUTOMATED AUDIT ACTIONS
ACCESS CONTROL
AC-2 (5)
INACTIVITY LOGOUT
ACCESS CONTROL
AC-2 (6)
DYNAMIC PRIVILEGE MANAGEMENT
ACCESS CONTROL
AC-2 (7)
ROLE-BASED SCHEMES
ACCESS CONTROL
AC-2 (7)(a)
ROLE-BASED SCHEMES
ACCESS CONTROL
AC-2 (7)(b)
ROLE-BASED SCHEMES
ACCESS CONTROL
AC-2 (7)(c)
ROLE-BASED SCHEMES
ACCESS CONTROL
AC-2 (8)
DYNAMIC ACCOUNT CREATION
ACCESS CONTROL
AC-2 (9)
RESTRICTIONS ON USE OF SHARED / GROUP

ACCOUNTS
ACCESS CONTROL
AC-2 (10)
SHARED / GROUP ACCOUNT CREDENTIAL

TERMINATION
ACCESS CONTROL
AC-2 (11)
USAGE CONDITIONS
ACCESS CONTROL
AC-2 (12)
ACCOUNT MONITORING / ATYPICAL USAGE
ACCESS CONTROL
AC-2 (12)(a)
ACCESS CONTROL
AC-2 (12)(b)
ACCESS CONTROL
AC-2 (13)
DISABLE ACCOUNTS FOR HIGH-RISK

INDIVIDUALS
ACCESS CONTROL
AC-3
ACCESS ENFORCEMENT
ACCESS CONTROL
AC-3 (1)
RESTRICTED ACCESS TO PRIVILEGED

FUNCTIONS
ACCESS CONTROL
AC-3 (2)
DUAL AUTHORIZATION
ACCESS CONTROL
AC-3 (3)
MANDATORY ACCESS CONTROL
ACCESS CONTROL
AC-3 (3)(a)
ACCESS CONTROL
AC-3 (3)(b)
ACCESS CONTROL
AC-3 (3)(b)(1)
ACCESS CONTROL
AC-3 (3)(b)(2)
ACCESS CONTROL
AC-3 (3)(b)(3)
ACCESS CONTROL
AC-3 (3)(b)(4)
ACCESS CONTROL
AC-3 (3)(b)(5)
ACCESS CONTROL
AC-3 (3)(c)
ACCESS CONTROL
AC-3 (4)
DISCRETIONARY ACCESS CONTROL
ACCESS CONTROL
AC-3 (4)(a)
ACCESS CONTROL
AC-3 (4)(b)
ACCESS CONTROL
AC-3 (4)(c)
ACCESS CONTROL
AC-3 (4)(d)
ACCESS CONTROL
AC-3 (4)(e)
ACCESS CONTROL
AC-3 (5)
SECURITY-RELEVANT INFORMATION
ACCESS CONTROL
AC-3 (6)
PROTECTION OF USER AND SYSTEM

INFORMATION
ACCESS CONTROL
AC-3 (7)
ROLE-BASED ACCESS CONTROL
ACCESS CONTROL
AC-3 (8)
REVOCATION OF ACCESS AUTHORIZATIONS
ACCESS CONTROL
AC-3 (9)
CONTROLLED RELEASE
ACCESS CONTROL
AC-3 (9)(a)
CONTROLLED RELEASE
ACCESS CONTROL
AC-3 (9)(b)
CONTROLLED RELEASE
ACCESS CONTROL
AC-3 (10)
AUDITED OVERRIDE OF ACCESS CONTROL

MECHANISMS
ACCESS CONTROL
AC-4
INFORMATION FLOW ENFORCEMENT
ACCESS CONTROL
AC-4 (1)
OBJECT SECURITY ATTRIBUTES
ACCESS CONTROL
AC-4 (2)
PROCESSING DOMAINS
ACCESS CONTROL
AC-4 (3)
DYNAMIC INFORMATION FLOW CONTROL
ACCESS CONTROL
AC-4 (4)
CONTENT CHECK ENCRYPTED INFORMATION
ACCESS CONTROL
AC-4 (5)
EMBEDDED DATA TYPES
ACCESS CONTROL
AC-4 (6)
METADATA
ACCESS CONTROL
AC-4 (7)
ONE-WAY FLOW MECHANISMS
ACCESS CONTROL
AC-4 (8)
SECURITY POLICY FILTERS
ACCESS CONTROL
AC-4 (9)
HUMAN REVIEWS
ACCESS CONTROL
AC-4 (10)
ENABLE / DISABLE SECURITY POLICY FILTERS
ACCESS CONTROL
AC-4 (11)
CONFIGURATION OF SECURITY POLICY

FILTERS
ACCESS CONTROL
AC-4 (12)
DATA TYPE IDENTIFIERS
ACCESS CONTROL
AC-4 (13)
DECOMPOSITION INTO POLICY-RELEVANT

SUBCOMPONENTS
ACCESS CONTROL
AC-4 (14)
SECURITY POLICY FILTER CONSTRAINTS
ACCESS CONTROL
AC-4 (15)
DETECTION OF UNSANCTIONED
INFORMATION
ACCESS CONTROL
AC-4 (16)
INFORMATION TRANSFERS ON
INTERCONNECTED SYSTEMS
ACCESS CONTROL
AC-4 (17)
DOMAIN AUTHENTICATION
ACCESS CONTROL
AC-4 (18)
SECURITY ATTRIBUTE BINDING
ACCESS CONTROL
AC-4 (19)
VALIDATION OF METADATA
ACCESS CONTROL
AC-4 (20)
APPROVED SOLUTIONS
ACCESS CONTROL
AC-4 (21)
PHYSICAL / LOGICAL SEPARATION OF

INFORMATION FLOWS
ACCESS CONTROL
AC-4 (22)
ACCESS ONLY
ACCESS CONTROL
AC-5
SEPARATION OF DUTIES
ACCESS CONTROL
AC-5a.
ACCESS CONTROL
AC-5b.
ACCESS CONTROL
AC-5c.
ACCESS CONTROL
AC-6
LEAST PRIVILEGE
ACCESS CONTROL
AC-6 (1)
AUTHORIZE ACCESS TO SECURITY

FUNCTIONS
ACCESS CONTROL
AC-6 (2)
NON-PRIVILEGED ACCESS FOR

NONSECURITY FUNCTIONS
ACCESS CONTROL
AC-6 (3)
NETWORK ACCESS TO PRIVILEGED

COMMANDS
ACCESS CONTROL
AC-6 (4)
SEPARATE PROCESSING DOMAINS
ACCESS CONTROL
AC-6 (5)
PRIVILEGED ACCOUNTS
ACCESS CONTROL
AC-6 (6)
PRIVILEGED ACCESS BY NONORGANIZATIONAL USERS
ACCESS CONTROL
AC-6 (7)
REVIEW OF USER PRIVILEGES
ACCESS CONTROL
AC-6 (7)(a)
ACCESS CONTROL
AC-6 (7)(b)
ACCESS CONTROL
AC-6 (8)
PRIVILEGE LEVELS FOR CODE EXECUTION
ACCESS CONTROL
AC-6 (9)
AUDITING USE OF PRIVILEGED FUNCTIONS
ACCESS CONTROL
AC-6 (10)
PROHIBIT NON-PRIVILEGED USERS FROM

EXECUTING PRIVILEGED FUNCTIONS
ACCESS CONTROL
AC-7
UNSUCCESSFUL LOGON ATTEMPTS
ACCESS CONTROL
AC-7a.
ACCESS CONTROL
AC-7b.
ACCESS CONTROL
AC-7 (1)
AUTOMATIC ACCOUNT LOCK
ACCESS CONTROL
AC-7 (2)
PURGE / WIPE MOBILE DEVICE
ACCESS CONTROL
AC-8
SYSTEM USE NOTIFICATION
ACCESS CONTROL
AC-8a.
ACCESS CONTROL
AC-8a.1.
ACCESS CONTROL
AC-8a.2.
ACCESS CONTROL
AC-8a.3.
ACCESS CONTROL
AC-8a.4.
ACCESS CONTROL
AC-8b.
ACCESS CONTROL
AC-8c.
ACCESS CONTROL
AC-8c.1.
ACCESS CONTROL
AC-8c.2.
ACCESS CONTROL
AC-8c.3.
ACCESS CONTROL
AC-9
PREVIOUS LOGON (ACCESS) NOTIFICATION
ACCESS CONTROL
AC-9 (1)
UNSUCCESSFUL LOGONS
ACCESS CONTROL
AC-9 (2)
SUCCESSFUL / UNSUCCESSFUL LOGONS
ACCESS CONTROL
AC-9 (3)
NOTIFICATION OF ACCOUNT CHANGES
ACCESS CONTROL
AC-9 (4)
ADDITIONAL LOGON INFORMATION
ACCESS CONTROL
AC-10
CONCURRENT SESSION CONTROL
ACCESS CONTROL
AC-11
SESSION LOCK
ACCESS CONTROL
AC-11a.
SESSION LOCK
ACCESS CONTROL
AC-11b.
SESSION LOCK
ACCESS CONTROL
AC-11 (1)
PATTERN-HIDING DISPLAYS
ACCESS CONTROL
AC-12
SESSION TERMINATION
ACCESS CONTROL
AC-12 (1)
USER-INITIATED LOGOUTS / MESSAGE

DISPLAYS
ACCESS CONTROL
AC-12 (1)(a)

DISPLAYS
ACCESS CONTROL
AC-12 (1)(b)

DISPLAYS
ACCESS CONTROL
AC-13
SUPERVISION AND REVIEW - ACCESS

CONTROL
ACCESS CONTROL
AC-14
PERMITTED ACTIONS WITHOUT

IDENTIFICATION OR AUTHENTICATION
ACCESS CONTROL
AC-14a.

ACCESS CONTROL
AC-14b.

ACCESS CONTROL
AC-14 (1)
NECESSARY USES
ACCESS CONTROL
AC-15
AUTOMATED MARKING
ACCESS CONTROL
AC-16
SECURITY ATTRIBUTES
ACCESS CONTROL
AC-16a.
SECURITY ATTRIBUTES
ACCESS CONTROL
AC-16b.
SECURITY ATTRIBUTES
ACCESS CONTROL
AC-16c.
SECURITY ATTRIBUTES
ACCESS CONTROL
AC-16d.
SECURITY ATTRIBUTES
ACCESS CONTROL
AC-16 (1)
DYNAMIC ATTRIBUTE ASSOCIATION
ACCESS CONTROL
AC-16 (2)
ATTRIBUTE VALUE CHANGES BY

AUTHORIZED INDIVIDUALS
ACCESS CONTROL
AC-16 (3)
MAINTENANCE OF ATTRIBUTE ASSOCIATIONS

BY INFORMATION SYSTEM
ACCESS CONTROL
AC-16 (4)
ASSOCIATION OF ATTRIBUTES BY
ACCESS CONTROL
AC-16 (5)
ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES
ACCESS CONTROL
AC-16 (6)
MAINTENANCE OF ATTRIBUTE ASSOCIATION

BY ORGANIZATION
ACCESS CONTROL
AC-16 (7)
CONSISTENT ATTRIBUTE INTERPRETATION
ACCESS CONTROL
AC-16 (8)
ASSOCIATION TECHNIQUES / TECHNOLOGIES
ACCESS CONTROL
AC-16 (9)
ATTRIBUTE REASSIGNMENT
ACCESS CONTROL
AC-16 (10)
ATTRIBUTE CONFIGURATION BY
ACCESS CONTROL
AC-17
REMOTE ACCESS
ACCESS CONTROL
AC-17a.
REMOTE ACCESS
ACCESS CONTROL
AC-17b.
REMOTE ACCESS
ACCESS CONTROL
AC-17 (1)
AUTOMATED MONITORING / CONTROL
ACCESS CONTROL
AC-17 (2)
PROTECTION OF CONFIDENTIALITY /
INTEGRITY USING ENCRYPTION
ACCESS CONTROL
AC-17 (3)
MANAGED ACCESS CONTROL POINTS
ACCESS CONTROL
AC-17 (4)
PRIVILEGED COMMANDS / ACCESS
ACCESS CONTROL
AC-17 (4)(a)
ACCESS CONTROL
AC-17 (4)(b)
ACCESS CONTROL
AC-17 (5)
MONITORING FOR UNAUTHORIZED

CONNECTIONS
ACCESS CONTROL
AC-17 (6)
PROTECTION OF INFORMATION
ACCESS CONTROL
AC-17 (7)
ADDITIONAL PROTECTION FOR SECURITY

FUNCTION ACCESS
ACCESS CONTROL
AC-17 (8)
DISABLE NONSECURE NETWORK

PROTOCOLS
ACCESS CONTROL
AC-17 (9)
DISCONNECT / DISABLE ACCESS
ACCESS CONTROL
AC-18
WIRELESS ACCESS
ACCESS CONTROL
AC-18a.
WIRELESS ACCESS
ACCESS CONTROL
AC-18b.
WIRELESS ACCESS
ACCESS CONTROL
AC-18 (1)
AUTHENTICATION AND ENCRYPTION
ACCESS CONTROL
AC-18 (2)
MONITORING UNAUTHORIZED
CONNECTIONS
ACCESS CONTROL
AC-18 (3)
DISABLE WIRELESS NETWORKING
ACCESS CONTROL
AC-18 (4)
RESTRICT CONFIGURATIONS BY USERS
ACCESS CONTROL
AC-18 (5)
ANTENNAS / TRANSMISSION POWER LEVELS
ACCESS CONTROL
AC-19
ACCESS CONTROL FOR MOBILE DEVICES
ACCESS CONTROL
AC-19a.
ACCESS CONTROL
AC-19b.
ACCESS CONTROL
AC-19 (1)
USE OF WRITABLE / PORTABLE STORAGE

DEVICES
ACCESS CONTROL
AC-19 (2)
USE OF PERSONALLY OWNED PORTABLE

STORAGE DEVICES
ACCESS CONTROL
AC-19 (3)
USE OF PORTABLE STORAGE DEVICES WITH

NO IDENTIFIABLE OWNER
ACCESS CONTROL
AC-19 (4)
RESTRICTIONS FOR CLASSIFIED

INFORMATION
ACCESS CONTROL
AC-19 (4)(a)

INFORMATION
ACCESS CONTROL
AC-19 (4)(b)

INFORMATION
ACCESS CONTROL
AC-19 (4)(b)(1)

INFORMATION
ACCESS CONTROL
AC-19 (4)(b)(2)

INFORMATION
ACCESS CONTROL
AC-19 (4)(b)(3)

INFORMATION
ACCESS CONTROL
AC-19 (4)(b)(4)

INFORMATION
ACCESS CONTROL
AC-19 (4)(c)

INFORMATION
ACCESS CONTROL
AC-19 (5)
FULL DEVICE / CONTAINER-BASED

ENCRYPTION
ACCESS CONTROL
AC-20
USE OF EXTERNAL INFORMATION SYSTEMS
ACCESS CONTROL
AC-20a.
ACCESS CONTROL
AC-20b.
ACCESS CONTROL
AC-20 (1)
LIMITS ON AUTHORIZED USE
ACCESS CONTROL
AC-20 (1)(a)
ACCESS CONTROL
AC-20 (1)(b)
ACCESS CONTROL
AC-20 (2)
PORTABLE STORAGE DEVICES
ACCESS CONTROL
AC-20 (3)
NON-ORGANIZATIONALLY OWNED SYSTEMS /

COMPONENTS / DEVICES
ACCESS CONTROL
AC-20 (4)
NETWORK ACCESSIBLE STORAGE DEVICES
ACCESS CONTROL
AC-21
INFORMATION SHARING
ACCESS CONTROL
AC-21a.
INFORMATION SHARING
ACCESS CONTROL
AC-21b.
INFORMATION SHARING
ACCESS CONTROL
AC-21 (1)
AUTOMATED DECISION SUPPORT
ACCESS CONTROL
AC-21 (2)
INFORMATION SEARCH AND RETRIEVAL
ACCESS CONTROL
AC-22
PUBLICLY ACCESSIBLE CONTENT
ACCESS CONTROL
AC-22a.
ACCESS CONTROL
AC-22b.
ACCESS CONTROL
AC-22c.
ACCESS CONTROL
AC-22d.
ACCESS CONTROL
AC-23
DATA MINING PROTECTION
ACCESS CONTROL
AC-24
ACCESS CONTROL DECISIONS
ACCESS CONTROL
AC-24 (1)
TRANSMIT ACCESS AUTHORIZATION

INFORMATION
ACCESS CONTROL
AC-24 (2)
NO USER OR PROCESS IDENTITY
ACCESS CONTROL
AC-25
REFERENCE MONITOR
AWARENESS AND
TRAINING
AT-1
SECURITY AWARENESS AND TRAINING

POLICY AND PROCEDURES
AWARENESS AND
TRAINING
AT-1a.

AWARENESS AND
TRAINING
AT-1a.1.

AWARENESS AND
TRAINING
AT-1a.2.

AWARENESS AND
TRAINING
AT-1b.

AWARENESS AND
TRAINING
AT-1b.1.

AWARENESS AND
TRAINING
AT-1b.2.

AWARENESS AND
TRAINING
AT-2
SECURITY AWARENESS TRAINING
AWARENESS AND
TRAINING
AT-2a.
AWARENESS AND
TRAINING
AT-2b.
AWARENESS AND
TRAINING
AT-2c.
AWARENESS AND
TRAINING
AT-2 (1)
PRACTICAL EXERCISES
AWARENESS AND
TRAINING
AT-2 (2)
INSIDER THREAT
AWARENESS AND
TRAINING
AT-3
ROLE-BASED SECURITY TRAINING
AWARENESS AND
TRAINING
AT-3a.
AWARENESS AND
TRAINING
AT-3b.
AWARENESS AND
TRAINING
AT-3c.
AWARENESS AND
TRAINING
AT-3 (1)
ENVIRONMENTAL CONTROLS
AWARENESS AND
TRAINING
AT-3 (2)
PHYSICAL SECURITY CONTROLS
AWARENESS AND
TRAINING
AT-3 (3)
PRACTICAL EXERCISES
AWARENESS AND
TRAINING
AT-3 (4)
SUSPICIOUS COMMUNICATIONS AND

ANOMALOUS SYSTEM BEHAVIOR
AWARENESS AND
TRAINING
AT-4
SECURITY TRAINING RECORDS
AWARENESS AND
TRAINING
AT-4a.
AWARENESS AND
TRAINING
AT-4b.
AWARENESS AND
TRAINING
AT-5
CONTACTS WITH SECURITY GROUPS AND

ASSOCIATIONS
AUDIT AND
ACCOUNTABILITY
AU-1
AUDIT AND ACCOUNTABILITY POLICY AND

PROCEDURES
AUDIT AND
ACCOUNTABILITY
AU-1a.

PROCEDURES
AUDIT AND
ACCOUNTABILITY
AU-1a.1.

PROCEDURES
AUDIT AND
ACCOUNTABILITY
AU-1a.2.

PROCEDURES
AUDIT AND
ACCOUNTABILITY
AU-1b.

PROCEDURES
AUDIT AND
ACCOUNTABILITY
AU-1b.1.

PROCEDURES
AUDIT AND
ACCOUNTABILITY
AU-1b.2.

PROCEDURES
AUDIT AND
ACCOUNTABILITY
AU-2
AUDIT EVENTS
AUDIT AND
ACCOUNTABILITY
AU-2a.
AUDIT EVENTS
AUDIT AND
ACCOUNTABILITY
AU-2b.
AUDIT EVENTS
AUDIT AND
ACCOUNTABILITY
AU-2c.
AUDIT EVENTS
AUDIT AND
ACCOUNTABILITY
AU-2d.
AUDIT EVENTS
AUDIT AND
ACCOUNTABILITY
AU-2 (1)
COMPILATION OF AUDIT RECORDS FROM

MULTIPLE SOURCES
AUDIT AND
ACCOUNTABILITY
AU-2 (2)
SELECTION OF AUDIT EVENTS BY

COMPONENT
AUDIT AND
ACCOUNTABILITY
AU-2 (3)
REVIEWS AND UPDATES
AUDIT AND
ACCOUNTABILITY
AU-2 (4)
PRIVILEGED FUNCTIONS
AUDIT AND
ACCOUNTABILITY
AU-3
CONTENT OF AUDIT RECORDS
AUDIT AND
ACCOUNTABILITY
AU-3 (1)
ADDITIONAL AUDIT INFORMATION
AUDIT AND
ACCOUNTABILITY
AU-3 (2)
CENTRALIZED MANAGEMENT OF PLANNED

AUDIT RECORD CONTENT
AUDIT AND
ACCOUNTABILITY
AU-4
AUDIT STORAGE CAPACITY
AUDIT AND
ACCOUNTABILITY
AU-4 (1)
TRANSFER TO ALTERNATE STORAGE
AUDIT AND
ACCOUNTABILITY
AU-5
RESPONSE TO AUDIT PROCESSING FAILURES
AUDIT AND
ACCOUNTABILITY
AU-5a.
AUDIT AND
ACCOUNTABILITY
AU-5b.
AUDIT AND
ACCOUNTABILITY
AU-5 (1)
AUDIT STORAGE CAPACITY
AUDIT AND
ACCOUNTABILITY
AU-5 (2)
REAL-TIME ALERTS
AUDIT AND
ACCOUNTABILITY
AU-5 (3)
CONFIGURABLE TRAFFIC VOLUME

THRESHOLDS
AUDIT AND
ACCOUNTABILITY
AU-5 (4)
SHUTDOWN ON FAILURE
AUDIT AND
ACCOUNTABILITY
AU-6
AUDIT REVIEW, ANALYSIS, AND REPORTING
AUDIT AND
ACCOUNTABILITY
AU-6a.
AUDIT AND
ACCOUNTABILITY
AU-6b.
AUDIT AND
ACCOUNTABILITY
AU-6 (1)
PROCESS INTEGRATION
AUDIT AND
ACCOUNTABILITY
AU-6 (2)
AUTOMATED SECURITY ALERTS
AUDIT AND
ACCOUNTABILITY
AU-6 (3)
CORRELATE AUDIT REPOSITORIES
AUDIT AND
ACCOUNTABILITY
AU-6 (4)
CENTRAL REVIEW AND ANALYSIS
AUDIT AND
ACCOUNTABILITY
AU-6 (5)
INTEGRATION / SCANNING AND MONITORING

CAPABILITIES
AUDIT AND
ACCOUNTABILITY
AU-6 (6)
CORRELATION WITH PHYSICAL MONITORING
AUDIT AND
ACCOUNTABILITY
AU-6 (7)
PERMITTED ACTIONS
AUDIT AND
ACCOUNTABILITY
AU-6 (8)
FULL TEXT ANALYSIS OF PRIVILEGED

COMMANDS
AUDIT AND
ACCOUNTABILITY
AU-6 (9)
CORRELATION WITH INFORMATION FROM

NONTECHNICAL SOURCES
AUDIT AND
ACCOUNTABILITY
AU-6 (10)
AUDIT LEVEL ADJUSTMENT
AUDIT AND
ACCOUNTABILITY
AU-7
AUDIT REDUCTION AND REPORT

GENERATION
AUDIT AND
ACCOUNTABILITY
AU-7a.

GENERATION
AUDIT AND
ACCOUNTABILITY
AU-7b.

GENERATION
AUDIT AND
ACCOUNTABILITY
AU-7 (1)
AUTOMATIC PROCESSING
AUDIT AND
ACCOUNTABILITY
AU-7 (2)
AUTOMATIC SORT AND SEARCH
AUDIT AND
ACCOUNTABILITY
AU-8
TIME STAMPS
AUDIT AND
ACCOUNTABILITY
AU-8a.
TIME STAMPS
AUDIT AND
ACCOUNTABILITY
AU-8b.
TIME STAMPS
AUDIT AND
ACCOUNTABILITY
AU-8 (1)
SYNCHRONIZATION WITH AUTHORITATIVE

TIME SOURCE
AUDIT AND
ACCOUNTABILITY
AU-8 (1)(a)

TIME SOURCE
AUDIT AND
ACCOUNTABILITY
AU-8 (1)(b)

TIME SOURCE
AUDIT AND
ACCOUNTABILITY
AU-8 (2)
SECONDARY AUTHORITATIVE TIME SOURCE
AUDIT AND
ACCOUNTABILITY
AU-9
PROTECTION OF AUDIT INFORMATION
AUDIT AND
ACCOUNTABILITY
AU-9 (1)
HARDWARE WRITE-ONCE MEDIA
AUDIT AND
ACCOUNTABILITY
AU-9 (2)
AUDIT BACKUP ON SEPARATE PHYSICAL

SYSTEMS / COMPONENTS
AUDIT AND
ACCOUNTABILITY
AU-9 (3)
CRYPTOGRAPHIC PROTECTION
AUDIT AND
ACCOUNTABILITY
AU-9 (4)
ACCESS BY SUBSET OF PRIVILEGED USERS
AUDIT AND
ACCOUNTABILITY
AU-9 (5)
DUAL AUTHORIZATION
AUDIT AND
ACCOUNTABILITY
AU-9 (6)
READ ONLY ACCESS
AUDIT AND
ACCOUNTABILITY
AU-10
NON-REPUDIATION
AUDIT AND
ACCOUNTABILITY
AU-10 (1)
ASSOCIATION OF IDENTITIES
AUDIT AND
ACCOUNTABILITY
AU-10 (1)(a)
AUDIT AND
ACCOUNTABILITY
AU-10 (1)(b)
AUDIT AND
ACCOUNTABILITY
AU-10 (2)
VALIDATE BINDING OF INFORMATION

PRODUCER IDENTITY
AUDIT AND
ACCOUNTABILITY
AU-10 (2)(a)

PRODUCER IDENTITY
AUDIT AND
ACCOUNTABILITY
AU-10 (2)(b)

PRODUCER IDENTITY
AUDIT AND
ACCOUNTABILITY
AU-10 (3)
CHAIN OF CUSTODY
AUDIT AND
ACCOUNTABILITY
AU-10 (4)

REVIEWER IDENTITY
AUDIT AND
ACCOUNTABILITY
AU-10 (4)(a)

REVIEWER IDENTITY
AUDIT AND
ACCOUNTABILITY
AU-10 (4)(b)

REVIEWER IDENTITY
AUDIT AND
ACCOUNTABILITY
AU-10 (5)
DIGITAL SIGNATURES
AUDIT AND
ACCOUNTABILITY
AU-11
AUDIT RECORD RETENTION
AUDIT AND
ACCOUNTABILITY
AU-11 (1)
LONG-TERM RETRIEVAL CAPABILITY
AUDIT AND
ACCOUNTABILITY
AU-12
AUDIT GENERATION
AUDIT AND
ACCOUNTABILITY
AU-12a.
AUDIT GENERATION
AUDIT AND
ACCOUNTABILITY
AU-12b.
AUDIT GENERATION
AUDIT AND
ACCOUNTABILITY
AU-12c.
AUDIT GENERATION
AUDIT AND
ACCOUNTABILITY
AU-12 (1)
SYSTEM-WIDE / TIME-CORRELATED AUDIT

TRAIL
AUDIT AND
ACCOUNTABILITY
AU-12 (2)
STANDARDIZED FORMATS
AUDIT AND
ACCOUNTABILITY
AU-12 (3)
CHANGES BY AUTHORIZED INDIVIDUALS
AUDIT AND
ACCOUNTABILITY
AU-13
MONITORING FOR INFORMATION

DISCLOSURE
AUDIT AND
ACCOUNTABILITY
AU-13 (1)
USE OF AUTOMATED TOOLS
AUDIT AND
ACCOUNTABILITY
AU-13 (2)
REVIEW OF MONITORED SITES
AUDIT AND
ACCOUNTABILITY
AU-14
SESSION AUDIT
AUDIT AND
ACCOUNTABILITY
AU-14 (1)
SYSTEM START-UP
AUDIT AND
ACCOUNTABILITY
AU-14 (2)
CAPTURE/RECORD AND LOG CONTENT
AUDIT AND
ACCOUNTABILITY
AU-14 (3)
REMOTE VIEWING / LISTENING
AUDIT AND
ACCOUNTABILITY
AU-15
ALTERNATE AUDIT CAPABILITY
AUDIT AND
ACCOUNTABILITY
AU-16
CROSS-ORGANIZATIONAL AUDITING
AUDIT AND
ACCOUNTABILITY
AU-16 (1)
IDENTITY PRESERVATION
AUDIT AND
ACCOUNTABILITY
AU-16 (2)
SHARING OF AUDIT INFORMATION
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-1
SECURITY ASSESSMENT AND

AUTHORIZATION POLICY AND PROCEDURES
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-1a.

SECURITY ASSESSMENT
AND AUTHORIZATION
CA-1a.1.

SECURITY ASSESSMENT
AND AUTHORIZATION
CA-1a.2.

SECURITY ASSESSMENT
AND AUTHORIZATION
CA-1b.

SECURITY ASSESSMENT
AND AUTHORIZATION
CA-1b.1.

SECURITY ASSESSMENT
AND AUTHORIZATION
CA-1b.2.

SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2
SECURITY ASSESSMENTS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2a.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2a.1.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2a.2.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2a.3.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2b.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2c.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2d.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2 (1)
INDEPENDENT ASSESSORS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2 (2)
SPECIALIZED ASSESSMENTS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-2 (3)
EXTERNAL ORGANIZATIONS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-3
SYSTEM INTERCONNECTIONS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-3a.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-3b.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-3c.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-3 (1)
UNCLASSIFIED NATIONAL SECURITY SYSTEM

CONNECTIONS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-3 (2)
CLASSIFIED NATIONAL SECURITY SYSTEM

CONNECTIONS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-3 (3)
UNCLASSIFIED NON-NATIONAL SECURITY

SYSTEM CONNECTIONS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-3 (4)
CONNECTIONS TO PUBLIC NETWORKS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-3 (5)
RESTRICTIONS ON EXTERNAL SYSTEM

CONNECTIONS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-4
SECURITY CERTIFICATION
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-5
PLAN OF ACTION AND MILESTONES
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-5a.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-5b.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-5 (1)
AUTOMATION SUPPORT FOR ACCURACY /

CURRENCY
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-6
SECURITY AUTHORIZATION
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-6a.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-6b.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-6c.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7
CONTINUOUS MONITORING
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7a.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7b.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7c.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7d.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7e.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7f.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7g.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7 (1)
INDEPENDENT ASSESSMENT
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7 (2)
TYPES OF ASSESSMENTS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-7 (3)
TREND ANALYSES
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-8
PENETRATION TESTING
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-8 (1)
INDEPENDENT PENETRATION AGENT OR

TEAM
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-8 (2)
RED TEAM EXERCISES
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-9
INTERNAL SYSTEM CONNECTIONS
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-9a.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-9b.
SECURITY ASSESSMENT
AND AUTHORIZATION
CA-9 (1)
SECURITY COMPLIANCE CHECKS
CONFIGURATION
MANAGEMENT
CM-1
CONFIGURATION MANAGEMENT POLICY AND

PROCEDURES
CONFIGURATION
MANAGEMENT
CM-1a.

PROCEDURES
CONFIGURATION
MANAGEMENT
CM-1a.1.

PROCEDURES
CONFIGURATION
MANAGEMENT
CM-1a.2.

PROCEDURES
CONFIGURATION
MANAGEMENT
CM-1b.

PROCEDURES
CONFIGURATION
MANAGEMENT
CM-1b.1.

PROCEDURES
CONFIGURATION
MANAGEMENT
CM-1b.2.

PROCEDURES
CONFIGURATION
MANAGEMENT
CM-2
BASELINE CONFIGURATION
CONFIGURATION
MANAGEMENT
CM-2 (1)
REVIEWS AND UPDATES
CONFIGURATION
MANAGEMENT
CM-2 (1)(a)
REVIEWS AND UPDATES
CONFIGURATION
MANAGEMENT
CM-2 (1)(b)
REVIEWS AND UPDATES
CONFIGURATION
MANAGEMENT
CM-2 (1)(c)
REVIEWS AND UPDATES
CONFIGURATION
MANAGEMENT
CM-2 (2)
AUTOMATION SUPPORT FOR ACCURACY /

CURRENCY
CONFIGURATION
MANAGEMENT
CM-2 (3)
RETENTION OF PREVIOUS CONFIGURATIONS
CONFIGURATION
MANAGEMENT
CM-2 (4)
UNAUTHORIZED SOFTWARE
CONFIGURATION
MANAGEMENT
CM-2 (5)
AUTHORIZED SOFTWARE
CONFIGURATION
MANAGEMENT
CM-2 (6)
DEVELOPMENT AND TEST ENVIRONMENTS
CONFIGURATION
MANAGEMENT
CM-2 (7)
CONFIGURE SYSTEMS, COMPONENTS, OR

DEVICES FOR HIGH-RISK AREAS
CONFIGURATION
MANAGEMENT
CM-2 (7)(a)

CONFIGURATION
MANAGEMENT
CM-2 (7)(b)

CONFIGURATION
MANAGEMENT
CM-3
CONFIGURATION CHANGE CONTROL
CONFIGURATION
MANAGEMENT
CM-3a.
CONFIGURATION
MANAGEMENT
CM-3b.
CONFIGURATION
MANAGEMENT
CM-3c.
CONFIGURATION
MANAGEMENT
CM-3d.
CONFIGURATION
MANAGEMENT
CM-3e.
CONFIGURATION
MANAGEMENT
CM-3f.
CONFIGURATION
MANAGEMENT
CM-3g.
CONFIGURATION
MANAGEMENT
CM-3 (1)
AUTOMATED DOCUMENT / NOTIFICATION /

PROHIBITION OF CHANGES
CONFIGURATION
MANAGEMENT
CM-3 (1)(a)

CONFIGURATION
MANAGEMENT
CM-3 (1)(b)

CONFIGURATION
MANAGEMENT
CM-3 (1)(c)

CONFIGURATION
MANAGEMENT
CM-3 (1)(d)

CONFIGURATION
MANAGEMENT
CM-3 (1)(e)

CONFIGURATION
MANAGEMENT
CM-3 (1)(f)

CONFIGURATION
MANAGEMENT
CM-3 (2)
TEST / VALIDATE / DOCUMENT CHANGES
CONFIGURATION
MANAGEMENT
CM-3 (3)
AUTOMATED CHANGE IMPLEMENTATION
CONFIGURATION
MANAGEMENT
CM-3 (4)
SECURITY REPRESENTATIVE
CONFIGURATION
MANAGEMENT
CM-3 (5)
AUTOMATED SECURITY RESPONSE
CONFIGURATION
MANAGEMENT
CM-3 (6)
CRYPTOGRAPHY MANAGEMENT
CONFIGURATION
MANAGEMENT
CM-4
SECURITY IMPACT ANALYSIS
CONFIGURATION
MANAGEMENT
CM-4 (1)
SEPARATE TEST ENVIRONMENTS
CONFIGURATION
MANAGEMENT
CM-4 (2)
VERIFICATION OF SECURITY FUNCTIONS
CONFIGURATION
MANAGEMENT
CM-5
ACCESS RESTRICTIONS FOR CHANGE
CONFIGURATION
MANAGEMENT
CM-5 (1)
AUTOMATED ACCESS ENFORCEMENT /

AUDITING
CONFIGURATION
MANAGEMENT
CM-5 (2)
REVIEW SYSTEM CHANGES
CONFIGURATION
MANAGEMENT
CM-5 (3)
SIGNED COMPONENTS
CONFIGURATION
MANAGEMENT
CM-5 (4)
DUAL AUTHORIZATION
CONFIGURATION
MANAGEMENT
CM-5 (5)
LIMIT PRODUCTION / OPERATIONAL

PRIVILEGES
CONFIGURATION
MANAGEMENT
CM-5 (5)(a)
CONFIGURATION
MANAGEMENT
CM-5 (5)(b)
CONFIGURATION
MANAGEMENT
CM-5 (6)
LIMIT LIBRARY PRIVILEGES
CONFIGURATION
MANAGEMENT
CM-5 (7)
AUTOMATIC IMPLEMENTATION OF SECURITY

SAFEGUARDS
CONFIGURATION
MANAGEMENT
CM-6
CONFIGURATION SETTINGS
CONFIGURATION
MANAGEMENT
CM-6a.
CONFIGURATION
MANAGEMENT
CM-6b.
CONFIGURATION
MANAGEMENT
CM-6c.
CONFIGURATION
MANAGEMENT
CM-6d.
CONFIGURATION
MANAGEMENT
CM-6 (1)
AUTOMATED CENTRAL MANAGEMENT /

APPLICATION / VERIFICATION
CONFIGURATION
MANAGEMENT
CM-6 (2)
RESPOND TO UNAUTHORIZED CHANGES
CONFIGURATION
MANAGEMENT
CM-6 (3)
UNAUTHORIZED CHANGE DETECTION
CONFIGURATION
MANAGEMENT
CM-6 (4)
CONFORMANCE DEMONSTRATION
CONFIGURATION
MANAGEMENT
CM-7
LEAST FUNCTIONALITY
CONFIGURATION
MANAGEMENT
CM-7a.
LEAST FUNCTIONALITY
CONFIGURATION
MANAGEMENT
CM-7b.
LEAST FUNCTIONALITY
CONFIGURATION
MANAGEMENT
CM-7 (1)
PERIODIC REVIEW
CONFIGURATION
MANAGEMENT
CM-7 (1)(a)
PERIODIC REVIEW
CONFIGURATION
MANAGEMENT
CM-7 (1)(b)
PERIODIC REVIEW
CONFIGURATION
MANAGEMENT
CM-7 (2)
PREVENT PROGRAM EXECUTION
CONFIGURATION
MANAGEMENT
CM-7 (3)
REGISTRATION COMPLIANCE
CONFIGURATION
MANAGEMENT
CM-7 (4)
UNAUTHORIZED SOFTWARE / BLACKLISTING
CONFIGURATION
MANAGEMENT
CM-7 (4)(a)
CONFIGURATION
MANAGEMENT
CM-7 (4)(b)
CONFIGURATION
MANAGEMENT
CM-7 (4)(c)
CONFIGURATION
MANAGEMENT
CM-7 (5)
AUTHORIZED SOFTWARE / WHITELISTING
CONFIGURATION
MANAGEMENT
CM-7 (5)(a)
CONFIGURATION
MANAGEMENT
CM-7 (5)(b)
CONFIGURATION
MANAGEMENT
CM-7 (5)(c)
CONFIGURATION
MANAGEMENT
CM-8
INFORMATION SYSTEM COMPONENT

INVENTORY
CONFIGURATION
MANAGEMENT
CM-8a.

INVENTORY
CONFIGURATION
MANAGEMENT
CM-8a.1.

INVENTORY
CONFIGURATION
MANAGEMENT
CM-8a.2.

INVENTORY
CONFIGURATION
MANAGEMENT
CM-8a.3.

INVENTORY
CONFIGURATION
MANAGEMENT
CM-8a.4.

INVENTORY
CONFIGURATION
MANAGEMENT
CM-8b.

INVENTORY
CONFIGURATION
MANAGEMENT
CM-8 (1)
UPDATES DURING INSTALLATIONS /

REMOVALS
CONFIGURATION
MANAGEMENT
CM-8 (2)
AUTOMATED MAINTENANCE
CONFIGURATION
MANAGEMENT
CM-8 (3)
AUTOMATED UNAUTHORIZED COMPONENT

DETECTION
CONFIGURATION
MANAGEMENT
CM-8 (3)(a)

DETECTION
CONFIGURATION
MANAGEMENT
CM-8 (3)(b)

DETECTION
CONFIGURATION
MANAGEMENT
CM-8 (4)
ACCOUNTABILITY INFORMATION
CONFIGURATION
MANAGEMENT
CM-8 (5)
NO DUPLICATE ACCOUNTING OF
COMPONENTS
CONFIGURATION
MANAGEMENT
CM-8 (6)
ASSESSED CONFIGURATIONS / APPROVED

DEVIATIONS
CONFIGURATION
MANAGEMENT
CM-8 (7)
CENTRALIZED REPOSITORY
CONFIGURATION
MANAGEMENT
CM-8 (8)
AUTOMATED LOCATION TRACKING
CONFIGURATION
MANAGEMENT
CM-8 (9)
ASSIGNMENT OF COMPONENTS TO SYSTEMS
CONFIGURATION
MANAGEMENT
CM-8 (9)(a)
CONFIGURATION
MANAGEMENT
CM-8 (9)(b)
CONFIGURATION
MANAGEMENT
CM-9
CONFIGURATION MANAGEMENT PLAN
CONFIGURATION
MANAGEMENT
CM-9a.
CONFIGURATION
MANAGEMENT
CM-9b.
CONFIGURATION
MANAGEMENT
CM-9c.
CONFIGURATION
MANAGEMENT
CM-9d.
CONFIGURATION
MANAGEMENT
CM-9 (1)
ASSIGNMENT OF RESPONSIBILITY
CONFIGURATION
MANAGEMENT
CM-10
SOFTWARE USAGE RESTRICTIONS
CONFIGURATION
MANAGEMENT
CM-10a.
CONFIGURATION
MANAGEMENT
CM-10b.
CONFIGURATION
MANAGEMENT
CM-10c.
CONFIGURATION
MANAGEMENT
CM-10 (1)
OPEN SOURCE SOFTWARE
CONFIGURATION
MANAGEMENT
CM-11
USER-INSTALLED SOFTWARE
CONFIGURATION
MANAGEMENT
CM-11a.
CONFIGURATION
MANAGEMENT
CM-11b.
CONFIGURATION
MANAGEMENT
CM-11c.
CONFIGURATION
MANAGEMENT
CM-11 (1)
ALERTS FOR UNAUTHORIZED

INSTALLATIONS
CONFIGURATION
MANAGEMENT
CM-11 (2)
PROHIBIT INSTALLATION WITHOUT

PRIVILEGED STATUS
CONTINGENCY PLANNING
CP-1
CONTINGENCY PLANNING POLICY AND

PROCEDURES
CP-1a.

PROCEDURES
CP-1a.1.

PROCEDURES
CP-1a.2.

PROCEDURES
CP-1b.

PROCEDURES
CP-1b.1.

PROCEDURES
CP-1b.2.

PROCEDURES
CP-2
CONTINGENCY PLAN
CP-2a.
CONTINGENCY PLAN
CP-2a.1.
CONTINGENCY PLAN
CP-2a.2.
CONTINGENCY PLAN
CP-2a.3.
CONTINGENCY PLAN
CP-2a.4.
CONTINGENCY PLAN
CP-2a.5.
CONTINGENCY PLAN
CP-2a.6.
CONTINGENCY PLAN
CP-2b.
CONTINGENCY PLAN
CP-2c.
CONTINGENCY PLAN
CP-2d.
CONTINGENCY PLAN
CP-2e.
CONTINGENCY PLAN
CP-2f.
CONTINGENCY PLAN
CP-2g.
CONTINGENCY PLAN
CP-2 (1)
COORDINATE WITH RELATED PLANS
CP-2 (2)
CAPACITY PLANNING
CP-2 (3)
RESUME ESSENTIAL MISSIONS / BUSINESS

FUNCTIONS
CP-2 (4)
RESUME ALL MISSIONS / BUSINESS

FUNCTIONS
CP-2 (5)
CONTINUE ESSENTIAL MISSIONS / BUSINESS

FUNCTIONS
CP-2 (6)
ALTERNATE PROCESSING / STORAGE SITE
CP-2 (7)
COORDINATE WITH EXTERNAL SERVICE

PROVIDERS
CP-2 (8)
IDENTIFY CRITICAL ASSETS
CP-3
CONTINGENCY TRAINING
CP-3a.
CP-3b.
CP-3c.
CP-3 (1)
SIMULATED EVENTS
CP-3 (2)
AUTOMATED TRAINING ENVIRONMENTS
CP-4
CONTINGENCY PLAN TESTING
CP-4a.
CP-4b.
CP-4c.
CP-4 (1)
COORDINATE WITH RELATED PLANS
CP-4 (2)
ALTERNATE PROCESSING SITE
CP-4 (2)(a)
CP-4 (2)(b)
CP-4 (3)
AUTOMATED TESTING
CP-4 (4)
FULL RECOVERY / RECONSTITUTION
CP-5
CONTINGENCY PLAN UPDATE
CP-6
ALTERNATE STORAGE SITE
CP-6a.
CP-6b.
CP-6 (1)
SEPARATION FROM PRIMARY SITE
CP-6 (2)
RECOVERY TIME / POINT OBJECTIVES
CP-6 (3)
ACCESSIBILITY
CP-7
CP-7a.
CP-7b.
CP-7c.
CP-7 (1)
SEPARATION FROM PRIMARY SITE
CP-7 (2)
ACCESSIBILITY
CP-7 (3)
PRIORITY OF SERVICE
CP-7 (4)
PREPARATION FOR USE
CP-7 (5)
EQUIVALENT INFORMATION SECURITY

SAFEGUARDS
CP-7 (6)
INABILITY TO RETURN TO PRIMARY SITE
CP-8
TELECOMMUNICATIONS SERVICES
CP-8 (1)
PRIORITY OF SERVICE PROVISIONS
CP-8 (1)(a)
CP-8 (1)(b)
CP-8 (2)
SINGLE POINTS OF FAILURE
CP-8 (3)
SEPARATION OF PRIMARY / ALTERNATE

PROVIDERS
CP-8 (4)
PROVIDER CONTINGENCY PLAN
CP-8 (4)(a)
CP-8 (4)(b)
CP-8 (4)(c)
CP-8 (5)
ALTERNATE TELECOMMUNICATION SERVICE

TESTING
CP-9
INFORMATION SYSTEM BACKUP
CP-9a.
CP-9b.
CP-9c.
CP-9d.
CP-9 (1)
TESTING FOR RELIABILITY / INTEGRITY
CP-9 (2)
TEST RESTORATION USING SAMPLING
CP-9 (3)
SEPARATE STORAGE FOR CRITICAL

INFORMATION
CP-9 (4)
PROTECTION FROM UNAUTHORIZED

MODIFICATION
CP-9 (5)
TRANSFER TO ALTERNATE STORAGE SITE
CP-9 (6)
REDUNDANT SECONDARY SYSTEM
CP-9 (7)
DUAL AUTHORIZATION
CP-10
INFORMATION SYSTEM RECOVERY AND

RECONSTITUTION
CP-10 (1)
CP-10 (2)
TRANSACTION RECOVERY
CP-10 (3)
COMPENSATING SECURITY CONTROLS
CP-10 (4)
RESTORE WITHIN TIME PERIOD
CP-10 (5)
FAILOVER CAPABILITY
CP-10 (6)
COMPONENT PROTECTION
CP-11
ALTERNATE COMMUNICATIONS PROTOCOLS
CP-12
SAFE MODE
CP-13
ALTERNATIVE SECURITY MECHANISMS
IDENTIFICATION AND
AUTHENTICATION
IA-1
IDENTIFICATION AND AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION
IA-1a.

IDENTIFICATION AND
AUTHENTICATION
IA-1a.1.

IDENTIFICATION AND
AUTHENTICATION
IA-1a.2.

IDENTIFICATION AND
AUTHENTICATION
IA-1b.

IDENTIFICATION AND
AUTHENTICATION
IA-1b.1.

IDENTIFICATION AND
AUTHENTICATION
IA-1b.2.

IDENTIFICATION AND
AUTHENTICATION
IA-2

(ORGANIZATIONAL USERS)
IDENTIFICATION AND
AUTHENTICATION
IA-2 (1)

ACCOUNTS
IDENTIFICATION AND
AUTHENTICATION
IA-2 (2)
NETWORK ACCESS TO NON-PRIVILEGED

ACCOUNTS
IDENTIFICATION AND
AUTHENTICATION
IA-2 (3)
LOCAL ACCESS TO PRIVILEGED ACCOUNTS
IDENTIFICATION AND
AUTHENTICATION
IA-2 (4)
LOCAL ACCESS TO NON-PRIVILEGED

ACCOUNTS
IDENTIFICATION AND
AUTHENTICATION
IA-2 (5)
GROUP AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-2 (6)

ACCOUNTS - SEPARATE DEVICE
IDENTIFICATION AND
AUTHENTICATION
IA-2 (7)

ACCOUNTS - SEPARATE DEVICE
IDENTIFICATION AND
AUTHENTICATION
IA-2 (8)

ACCOUNTS - REPLAY RESISTANT
IDENTIFICATION AND
AUTHENTICATION
IA-2 (9)

ACCOUNTS - REPLAY RESISTANT
IDENTIFICATION AND
AUTHENTICATION
IA-2 (10)
SINGLE SIGN-ON
IDENTIFICATION AND
AUTHENTICATION
IA-2 (11)
REMOTE ACCESS - SEPARATE DEVICE
IDENTIFICATION AND
AUTHENTICATION
IA-2 (12)
ACCEPTANCE OF PIV CREDENTIALS
IDENTIFICATION AND
AUTHENTICATION
IA-2 (13)
OUT-OF-BAND AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-3
DEVICE IDENTIFICATION AND

AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-3 (1)
CRYPTOGRAPHIC BIDIRECTIONAL
AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-3 (2)
CRYPTOGRAPHIC BIDIRECTIONAL NETWORK

AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-3 (3)
DYNAMIC ADDRESS ALLOCATION
IDENTIFICATION AND
AUTHENTICATION
IA-3 (3)(a)
IDENTIFICATION AND
AUTHENTICATION
IA-3 (3)(b)
IDENTIFICATION AND
AUTHENTICATION
IA-3 (4)
DEVICE ATTESTATION
IDENTIFICATION AND
AUTHENTICATION
IA-4
IDENTIFIER MANAGEMENT
IDENTIFICATION AND
AUTHENTICATION
IA-4a.
IDENTIFICATION AND
AUTHENTICATION
IA-4b.
IDENTIFICATION AND
AUTHENTICATION
IA-4c.
IDENTIFICATION AND
AUTHENTICATION
IA-4d.
IDENTIFICATION AND
AUTHENTICATION
IA-4e.
IDENTIFICATION AND
AUTHENTICATION
IA-4 (1)
PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC

IDENTIFIERS
IDENTIFICATION AND
AUTHENTICATION
IA-4 (2)
SUPERVISOR AUTHORIZATION
IDENTIFICATION AND
AUTHENTICATION
IA-4 (3)
MULTIPLE FORMS OF CERTIFICATION
IDENTIFICATION AND
AUTHENTICATION
IA-4 (4)
IDENTIFY USER STATUS
IDENTIFICATION AND
AUTHENTICATION
IA-4 (5)
DYNAMIC MANAGEMENT
IDENTIFICATION AND
AUTHENTICATION
IA-4 (6)
CROSS-ORGANIZATION MANAGEMENT
IDENTIFICATION AND
AUTHENTICATION
IA-4 (7)
IN-PERSON REGISTRATION
IDENTIFICATION AND
AUTHENTICATION
IA-5
AUTHENTICATOR MANAGEMENT
IDENTIFICATION AND
AUTHENTICATION
IA-5a.
IDENTIFICATION AND
AUTHENTICATION
IA-5b.
IDENTIFICATION AND
AUTHENTICATION
IA-5c.
IDENTIFICATION AND
AUTHENTICATION
IA-5d.
IDENTIFICATION AND
AUTHENTICATION
IA-5e.
IDENTIFICATION AND
AUTHENTICATION
IA-5f.
IDENTIFICATION AND
AUTHENTICATION
IA-5g.
IDENTIFICATION AND
AUTHENTICATION
IA-5h.
IDENTIFICATION AND
AUTHENTICATION
IA-5i.
IDENTIFICATION AND
AUTHENTICATION
IA-5j.
IDENTIFICATION AND
AUTHENTICATION
IA-5 (1)
PASSWORD-BASED AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-5 (1)(a)
IDENTIFICATION AND
AUTHENTICATION
IA-5 (1)(b)
IDENTIFICATION AND
AUTHENTICATION
IA-5 (1)(c)
IDENTIFICATION AND
AUTHENTICATION
IA-5 (1)(d)
IDENTIFICATION AND
AUTHENTICATION
IA-5 (1)(e)
IDENTIFICATION AND
AUTHENTICATION
IA-5 (1)(f)
IDENTIFICATION AND
AUTHENTICATION
IA-5 (2)
PKI-BASED AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-5 (2)(a)
IDENTIFICATION AND
AUTHENTICATION
IA-5 (2)(b)
IDENTIFICATION AND
AUTHENTICATION
IA-5 (2)(c)
IDENTIFICATION AND
AUTHENTICATION
IA-5 (2)(d)
IDENTIFICATION AND
AUTHENTICATION
IA-5 (3)
IN-PERSON OR TRUSTED THIRD-PARTY

REGISTRATION
IDENTIFICATION AND
AUTHENTICATION
IA-5 (4)
AUTOMATED SUPPORT FOR PASSWORD

STRENGTH DETERMINATION
IDENTIFICATION AND
AUTHENTICATION
IA-5 (5)
CHANGE AUTHENTICATORS PRIOR TO

DELIVERY
IDENTIFICATION AND
AUTHENTICATION
IA-5 (6)
PROTECTION OF AUTHENTICATORS
IDENTIFICATION AND
AUTHENTICATION
IA-5 (7)
NO EMBEDDED UNENCRYPTED STATIC

AUTHENTICATORS
IDENTIFICATION AND
AUTHENTICATION
IA-5 (8)
MULTIPLE INFORMATION SYSTEM ACCOUNTS
IDENTIFICATION AND
AUTHENTICATION
IA-5 (9)
CROSS-ORGANIZATION CREDENTIAL
MANAGEMENT
IDENTIFICATION AND
AUTHENTICATION
IA-5 (10)
DYNAMIC CREDENTIAL ASSOCIATION
IDENTIFICATION AND
AUTHENTICATION
IA-5 (11)
HARDWARE TOKEN-BASED AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-5 (12)
BIOMETRIC-BASED AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-5 (13)
EXPIRATION OF CACHED AUTHENTICATORS
IDENTIFICATION AND
AUTHENTICATION
IA-5 (14)
MANAGING CONTENT OF PKI TRUST STORES
IDENTIFICATION AND
AUTHENTICATION
IA-5 (15)
FICAM-APPROVED PRODUCTS AND SERVICES
IDENTIFICATION AND
AUTHENTICATION
IA-6
AUTHENTICATOR FEEDBACK
IDENTIFICATION AND
AUTHENTICATION
IA-7
CRYPTOGRAPHIC MODULE AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-8

(NON-ORGANIZATIONAL USERS)
IDENTIFICATION AND
AUTHENTICATION
IA-8 (1)
ACCEPTANCE OF PIV CREDENTIALS FROM

OTHER AGENCIES
IDENTIFICATION AND
AUTHENTICATION
IA-8 (2)
ACCEPTANCE OF THIRD-PARTY CREDENTIALS
IDENTIFICATION AND
AUTHENTICATION
IA-8 (3)
USE OF FICAM-APPROVED PRODUCTS
IDENTIFICATION AND
AUTHENTICATION
IA-8 (4)
USE OF FICAM-ISSUED PROFILES
IDENTIFICATION AND
AUTHENTICATION
IA-8 (5)
ACCEPTANCE OF PIV-I CREDENTIALS
IDENTIFICATION AND
AUTHENTICATION
IA-9
SERVICE IDENTIFICATION AND

AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-9 (1)
INFORMATION EXCHANGE
IDENTIFICATION AND
AUTHENTICATION
IA-9 (2)
TRANSMISSION OF DECISIONS
IDENTIFICATION AND
AUTHENTICATION
IA-10
ADAPTIVE IDENTIFICATION AND

AUTHENTICATION
IDENTIFICATION AND
AUTHENTICATION
IA-11
RE-AUTHENTICATION
INCIDENT RESPONSE
IR-1
INCIDENT RESPONSE POLICY AND

PROCEDURES
INCIDENT RESPONSE
IR-1a.

PROCEDURES
INCIDENT RESPONSE
IR-1a.1.

PROCEDURES
INCIDENT RESPONSE
IR-1a.2.

PROCEDURES
INCIDENT RESPONSE
IR-1b.

PROCEDURES
INCIDENT RESPONSE
IR-1b.1.

PROCEDURES
INCIDENT RESPONSE
IR-1b.2.

PROCEDURES
INCIDENT RESPONSE
IR-2
INCIDENT RESPONSE TRAINING
INCIDENT RESPONSE
IR-2a.
INCIDENT RESPONSE
IR-2b.
INCIDENT RESPONSE
IR-2c.
INCIDENT RESPONSE
IR-2 (1)
SIMULATED EVENTS
INCIDENT RESPONSE
IR-2 (2)
AUTOMATED TRAINING ENVIRONMENTS
INCIDENT RESPONSE
IR-3
INCIDENT RESPONSE TESTING
INCIDENT RESPONSE
IR-3 (1)
AUTOMATED TESTING
INCIDENT RESPONSE
IR-3 (2)
COORDINATION WITH RELATED PLANS
INCIDENT RESPONSE
IR-4
INCIDENT HANDLING
INCIDENT RESPONSE
IR-4a.
INCIDENT HANDLING
INCIDENT RESPONSE
IR-4b.
INCIDENT HANDLING
INCIDENT RESPONSE
IR-4c.
INCIDENT HANDLING
INCIDENT RESPONSE
IR-4 (1)
AUTOMATED INCIDENT HANDLING

PROCESSES
INCIDENT RESPONSE
IR-4 (2)
DYNAMIC RECONFIGURATION
INCIDENT RESPONSE
IR-4 (3)
CONTINUITY OF OPERATIONS
INCIDENT RESPONSE
IR-4 (4)
INFORMATION CORRELATION
INCIDENT RESPONSE
IR-4 (5)
AUTOMATIC DISABLING OF INFORMATION

SYSTEM
INCIDENT RESPONSE
IR-4 (6)
INSIDER THREATS - SPECIFIC CAPABILITIES
INCIDENT RESPONSE
IR-4 (7)
INSIDER THREATS - INTRA-ORGANIZATION

COORDINATION
INCIDENT RESPONSE
IR-4 (8)
CORRELATION WITH EXTERNAL

ORGANIZATIONS
INCIDENT RESPONSE
IR-4 (9)
DYNAMIC RESPONSE CAPABILITY
INCIDENT RESPONSE
IR-4 (10)
SUPPLY CHAIN COORDINATION
INCIDENT RESPONSE
IR-5
INCIDENT MONITORING
INCIDENT RESPONSE
IR-5 (1)
AUTOMATED TRACKING / DATA

COLLECTION / ANALYSIS
INCIDENT RESPONSE
IR-6
INCIDENT REPORTING
INCIDENT RESPONSE
IR-6a.
INCIDENT REPORTING
INCIDENT RESPONSE
IR-6b.
INCIDENT REPORTING
INCIDENT RESPONSE
IR-6 (1)
AUTOMATED REPORTING
INCIDENT RESPONSE
IR-6 (2)
VULNERABILITIES RELATED TO INCIDENTS
INCIDENT RESPONSE
IR-6 (3)
COORDINATION WITH SUPPLY CHAIN
INCIDENT RESPONSE
IR-7
INCIDENT RESPONSE ASSISTANCE
INCIDENT RESPONSE
IR-7 (1)
AUTOMATION SUPPORT FOR AVAILABILITY OF

INFORMATION / SUPPORT
INCIDENT RESPONSE
IR-7 (2)
COORDINATION WITH EXTERNAL PROVIDERS
INCIDENT RESPONSE
IR-7 (2)(a)
INCIDENT RESPONSE
IR-7 (2)(b)
INCIDENT RESPONSE
IR-8
INCIDENT RESPONSE PLAN
INCIDENT RESPONSE
IR-8a.
INCIDENT RESPONSE
IR-8a.1.
INCIDENT RESPONSE
IR-8a.2.
INCIDENT RESPONSE
IR-8a.3.
INCIDENT RESPONSE
IR-8a.4.
INCIDENT RESPONSE
IR-8a.5.
INCIDENT RESPONSE
IR-8a.6.
INCIDENT RESPONSE
IR-8a.7.
INCIDENT RESPONSE
IR-8a.8.
INCIDENT RESPONSE
IR-8b.
INCIDENT RESPONSE
IR-8c.
INCIDENT RESPONSE
IR-8d.
INCIDENT RESPONSE
IR-8e.
INCIDENT RESPONSE
IR-8f.
INCIDENT RESPONSE
IR-9
INFORMATION SPILLAGE RESPONSE
INCIDENT RESPONSE
IR-9a.
INCIDENT RESPONSE
IR-9b.
INCIDENT RESPONSE
IR-9c.
INCIDENT RESPONSE
IR-9d.
INCIDENT RESPONSE
IR-9e.
INCIDENT RESPONSE
IR-9f.
INCIDENT RESPONSE
IR-9 (1)
RESPONSIBLE PERSONNEL
INCIDENT RESPONSE
IR-9 (2)
TRAINING
INCIDENT RESPONSE
IR-9 (3)
POST-SPILL OPERATIONS
INCIDENT RESPONSE
IR-9 (4)
EXPOSURE TO UNAUTHORIZED PERSONNEL
INCIDENT RESPONSE
IR-10
INTEGRATED INFORMATION SECURITY

ANALYSIS TEAM
MAINTENANCE
MA-1
SYSTEM MAINTENANCE POLICY AND

PROCEDURES
MAINTENANCE
MA-1a.

PROCEDURES
MAINTENANCE
MA-1a.1.

PROCEDURES
MAINTENANCE
MA-1a.2.

PROCEDURES
MAINTENANCE
MA-1b.

PROCEDURES
MAINTENANCE
MA-1b.1.

PROCEDURES
MAINTENANCE
MA-1b.2.

PROCEDURES
MAINTENANCE
MA-2
CONTROLLED MAINTENANCE
MAINTENANCE
MA-2a.
MAINTENANCE
MA-2b.
MAINTENANCE
MA-2c.
MAINTENANCE
MA-2d.
MAINTENANCE
MA-2e.
MAINTENANCE
MA-2f.
MAINTENANCE
MA-2 (1)
RECORD CONTENT
MAINTENANCE
MA-2 (2)
AUTOMATED MAINTENANCE ACTIVITIES
MAINTENANCE
MA-2 (2)(a)
MAINTENANCE
MA-2 (2)(b)
MAINTENANCE
MA-3
MAINTENANCE TOOLS
MAINTENANCE
MA-3 (1)
INSPECT TOOLS
MAINTENANCE
MA-3 (2)
INSPECT MEDIA
MAINTENANCE
MA-3 (3)
PREVENT UNAUTHORIZED REMOVAL
MAINTENANCE
MA-3 (3)(a)
MAINTENANCE
MA-3 (3)(b)
MAINTENANCE
MA-3 (3)(c)
MAINTENANCE
MA-3 (3)(d)
MAINTENANCE
MA-3 (4)
RESTRICTED TOOL USE
MAINTENANCE
MA-4
NONLOCAL MAINTENANCE
MAINTENANCE
MA-4a.
MAINTENANCE
MA-4b.
MAINTENANCE
MA-4c.
MAINTENANCE
MA-4d.
MAINTENANCE
MA-4e.
MAINTENANCE
MA-4 (1)
AUDITING AND REVIEW
MAINTENANCE
MA-4 (1)(a)
AUDITING AND REVIEW
MAINTENANCE
MA-4 (1)(b)
AUDITING AND REVIEW
MAINTENANCE
MA-4 (2)
DOCUMENT NONLOCAL MAINTENANCE
MAINTENANCE
MA-4 (3)
COMPARABLE SECURITY / SANITIZATION
MAINTENANCE
MA-4 (3)(a)
MAINTENANCE
MA-4 (3)(b)
MAINTENANCE
MA-4 (4)
AUTHENTICATION / SEPARATION OF
MAINTENANCE SESSIONS
MAINTENANCE
MA-4 (4)(a)
MAINTENANCE
MA-4 (4)(b)
MAINTENANCE
MA-4 (4)(b)(1)
MAINTENANCE
MA-4 (4)(b)(2)
MAINTENANCE
MA-4 (5)
APPROVALS AND NOTIFICATIONS
MAINTENANCE
MA-4 (5)(a)
MAINTENANCE
MA-4 (5)(b)
MAINTENANCE
MA-4 (6)
MAINTENANCE
MA-4 (7)
REMOTE DISCONNECT VERIFICATION
MAINTENANCE
MA-5
MAINTENANCE PERSONNEL
MAINTENANCE
MA-5a.
MAINTENANCE
MA-5b.
MAINTENANCE
MA-5c.
MAINTENANCE
MA-5 (1)
INDIVIDUALS WITHOUT APPROPRIATE

ACCESS
MAINTENANCE
MA-5 (1)(a)

ACCESS
MAINTENANCE
MA-5 (1)(a)(1)

ACCESS
MAINTENANCE
MA-5 (1)(a)(2)

ACCESS
MAINTENANCE
MA-5 (1)(b)

ACCESS
MAINTENANCE
MA-5 (2)
SECURITY CLEARANCES FOR CLASSIFIED

SYSTEMS
MAINTENANCE
MA-5 (3)
CITIZENSHIP REQUIREMENTS FOR

CLASSIFIED SYSTEMS
MAINTENANCE
MA-5 (4)
FOREIGN NATIONALS
MAINTENANCE
MA-5 (4)(a)
FOREIGN NATIONALS
MAINTENANCE
MA-5 (4)(b)
FOREIGN NATIONALS
MAINTENANCE
MA-5 (5)
NONSYSTEM-RELATED MAINTENANCE
MAINTENANCE
MA-6
TIMELY MAINTENANCE
MAINTENANCE
MA-6 (1)
PREVENTIVE MAINTENANCE
MAINTENANCE
MA-6 (2)
PREDICTIVE MAINTENANCE
MAINTENANCE
MA-6 (3)
AUTOMATED SUPPORT FOR PREDICTIVE

MAINTENANCE
MEDIA PROTECTION
MP-1
MEDIA PROTECTION POLICY AND

PROCEDURES
MEDIA PROTECTION
MP-1a.

PROCEDURES
MEDIA PROTECTION
MP-1a.1.

PROCEDURES
MEDIA PROTECTION
MP-1a.2.

PROCEDURES
MEDIA PROTECTION
MP-1b.

PROCEDURES
MEDIA PROTECTION
MP-1b.1.

PROCEDURES
MEDIA PROTECTION
MP-1b.2.

PROCEDURES
MEDIA PROTECTION
MP-2
MEDIA ACCESS
MEDIA PROTECTION
MP-2 (1)
AUTOMATED RESTRICTED ACCESS
MEDIA PROTECTION
MP-2 (2)
MEDIA PROTECTION
MP-3
MEDIA MARKING
MEDIA PROTECTION
MP-3a.
MEDIA MARKING
MEDIA PROTECTION
MP-3b.
MEDIA MARKING
MEDIA PROTECTION
MP-4
MEDIA STORAGE
MEDIA PROTECTION
MP-4a.
MEDIA STORAGE
MEDIA PROTECTION
MP-4b.
MEDIA STORAGE
MEDIA PROTECTION
MP-4 (1)
MEDIA PROTECTION
MP-4 (2)
AUTOMATED RESTRICTED ACCESS
MEDIA PROTECTION
MP-5
MEDIA TRANSPORT
MEDIA PROTECTION
MP-5a.
MEDIA TRANSPORT
MEDIA PROTECTION
MP-5b.
MEDIA TRANSPORT
MEDIA PROTECTION
MP-5c.
MEDIA TRANSPORT
MEDIA PROTECTION
MP-5d.
MEDIA TRANSPORT
MEDIA PROTECTION
MP-5 (1)
PROTECTION OUTSIDE OF CONTROLLED

AREAS
MEDIA PROTECTION
MP-5 (2)
DOCUMENTATION OF ACTIVITIES
MEDIA PROTECTION
MP-5 (3)
CUSTODIANS
MEDIA PROTECTION
MP-5 (4)
MEDIA PROTECTION
MP-6
MEDIA SANITIZATION
MEDIA PROTECTION
MP-6a.
MEDIA SANITIZATION
MEDIA PROTECTION
MP-6b.
MEDIA SANITIZATION
MEDIA PROTECTION
MP-6 (1)
REVIEW / APPROVE / TRACK / DOCUMENT /

VERIFY
MEDIA PROTECTION
MP-6 (2)
EQUIPMENT TESTING
MEDIA PROTECTION
MP-6 (3)
NONDESTRUCTIVE TECHNIQUES
MEDIA PROTECTION
MP-6 (4)
CONTROLLED UNCLASSIFIED INFORMATION
MEDIA PROTECTION
MP-6 (5)
CLASSIFIED INFORMATION
MEDIA PROTECTION
MP-6 (6)
MEDIA DESTRUCTION
MEDIA PROTECTION
MP-6 (7)
DUAL AUTHORIZATION
MEDIA PROTECTION
MP-6 (8)
REMOTE PURGING / WIPING OF

INFORMATION
MEDIA PROTECTION
MP-7
MEDIA USE
MEDIA PROTECTION
MP-7 (1)
PROHIBIT USE WITHOUT OWNER
MEDIA PROTECTION
MP-7 (2)
PROHIBIT USE OF SANITIZATION-RESISTANT

MEDIA
MEDIA PROTECTION
MP-8
MEDIA DOWNGRADING
MEDIA PROTECTION
MP-8a.
MEDIA DOWNGRADING
MEDIA PROTECTION
MP-8b.
MEDIA DOWNGRADING
MEDIA PROTECTION
MP-8c.
MEDIA DOWNGRADING
MEDIA PROTECTION
MP-8d.
MEDIA DOWNGRADING
MEDIA PROTECTION
MP-8 (1)
DOCUMENTATION OF PROCESS
MEDIA PROTECTION
MP-8 (2)
EQUIPMENT TESTING
MEDIA PROTECTION
MP-8 (3)
CONTROLLED UNCLASSIFIED INFORMATION
MEDIA PROTECTION
MP-8 (4)
PHYSICAL AND
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-1
PHYSICAL AND ENVIRONMENTAL

PROTECTION POLICY AND PROCEDURES
PE-1a.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-1a.1.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-1a.2.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-1b.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-1b.1.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-1b.2.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-2
PHYSICAL ACCESS AUTHORIZATIONS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-2a.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-2b.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-2c.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-2d.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-2 (1)
ACCESS BY POSITION / ROLE
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-2 (2)
TWO FORMS OF IDENTIFICATION
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-2 (3)
RESTRICT UNESCORTED ACCESS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3
PHYSICAL ACCESS CONTROL
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3a.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3a.1.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3a.2.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3b.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3c.
PE-3d.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3e.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3f.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3g.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3 (1)
INFORMATION SYSTEM ACCESS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3 (2)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
FACILITY / INFORMATION SYSTEM

BOUNDARIES
PE-3 (3)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
CONTINUOUS GUARDS / ALARMS /

MONITORING
PE-3 (4)
LOCKABLE CASINGS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3 (5)
TAMPER PROTECTION
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-3 (6)
FACILITY PENETRATION TESTING
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-4
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
ACCESS CONTROL FOR TRANSMISSION

MEDIUM
PE-5
ACCESS CONTROL FOR OUTPUT DEVICES
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-5 (1)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
ACCESS TO OUTPUT BY AUTHORIZED

INDIVIDUALS
PE-5 (1)(a)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

INDIVIDUALS
PE-5 (1)(b)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

INDIVIDUALS
PE-5 (2)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
ACCESS TO OUTPUT BY INDIVIDUAL

IDENTITY
PE-5 (2)(a)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

IDENTITY
PE-5 (2)(b)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

IDENTITY
PE-5 (3)
MARKING OUTPUT DEVICES
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-6
MONITORING PHYSICAL ACCESS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-6a.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-6b.
PE-6c.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-6 (1)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
INTRUSION ALARMS / SURVEILLANCE

EQUIPMENT
PE-6 (2)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
AUTOMATED INTRUSION RECOGNITION /

RESPONSES
PE-6 (3)
VIDEO SURVEILLANCE
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-6 (4)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
MONITORING PHYSICAL ACCESS TO

INFORMATION SYSTEMS
PE-7
VISITOR CONTROL
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-8
VISITOR ACCESS RECORDS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-8a.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-8b.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-8 (1)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
AUTOMATED RECORDS MAINTENANCE /

REVIEW
PE-8 (2)
PHYSICAL ACCESS RECORDS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-9
POWER EQUIPMENT AND CABLING
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-9 (1)
REDUNDANT CABLING
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-9 (2)
AUTOMATIC VOLTAGE CONTROLS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-10
EMERGENCY SHUTOFF
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-10a.
EMERGENCY SHUTOFF
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-10b.
EMERGENCY SHUTOFF
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-10c.
EMERGENCY SHUTOFF
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-10 (1)
ACCIDENTAL / UNAUTHORIZED ACTIVATION
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-11
EMERGENCY POWER
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-11 (1)
LONG-TERM ALTERNATE POWER SUPPLY MINIMAL OPERATIONAL CAPABILITY
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-11 (2)
LONG-TERM ALTERNATE POWER SUPPLY SELF-CONTAINED
PE-11 (2)(a)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-11 (2)(b)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-11 (2)(c)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-12
EMERGENCY LIGHTING
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-12 (1)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
ESSENTIAL MISSIONS / BUSINESS

FUNCTIONS
PE-13
FIRE PROTECTION
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-13 (1)
DETECTION DEVICES / SYSTEMS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-13 (2)
SUPPRESSION DEVICES / SYSTEMS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-13 (3)
AUTOMATIC FIRE SUPPRESSION
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-13 (4)
INSPECTIONS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-14
TEMPERATURE AND HUMIDITY CONTROLS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-14a.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-14b.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-14 (1)
AUTOMATIC CONTROLS
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-14 (2)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
MONITORING WITH ALARMS /

NOTIFICATIONS
PE-15
WATER DAMAGE PROTECTION
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-15 (1)
AUTOMATION SUPPORT
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-16
DELIVERY AND REMOVAL
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-17
ALTERNATE WORK SITE
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-17a.
ALTERNATE WORK SITE
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-17b.
ALTERNATE WORK SITE
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-17c.
ALTERNATE WORK SITE
PE-18
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
LOCATION OF INFORMATION SYSTEM

COMPONENTS
PE-18 (1)
FACILITY SITE
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-19
INFORMATION LEAKAGE
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-19 (1)
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
NATIONAL EMISSIONS / TEMPEST POLICIES

AND PROCEDURES
PE-20
ASSET MONITORING AND TRACKING
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-20a.
ENVIRONMENTAL
PROTECTION
PHYSICAL AND
PE-20b.
ENVIRONMENTAL
PROTECTION
PLANNING
PL-1
SECURITY PLANNING POLICY AND

PROCEDURES
PLANNING
PL-1a.

PROCEDURES
PLANNING
PL-1a.1.

PROCEDURES
PLANNING
PL-1a.2.

PROCEDURES
PLANNING
PL-1b.

PROCEDURES
PLANNING
PL-1b.1.

PROCEDURES
PLANNING
PL-1b.2.

PROCEDURES
PLANNING
PL-2
SYSTEM SECURITY PLAN
PLANNING
PL-2a.
PLANNING
PL-2a.1.
PLANNING
PL-2a.2.
PLANNING
PL-2a.3.
PLANNING
PL-2a.4.
PLANNING
PL-2a.5.
PLANNING
PL-2a.6.
PLANNING
PL-2a.7.
PLANNING
PL-2a.8.
PLANNING
PL-2a.9.
PLANNING
PL-2b.
PLANNING
PL-2c.
PLANNING
PL-2d.
PLANNING
PL-2e.
PLANNING
PL-2 (1)
CONCEPT OF OPERATIONS
PLANNING
PL-2 (2)
FUNCTIONAL ARCHITECTURE
PLANNING
PL-2 (3)
PLAN / COORDINATE WITH OTHER

ORGANIZATIONAL ENTITIES
PLANNING
PL-3
SYSTEM SECURITY PLAN UPDATE
PLANNING
PL-4
RULES OF BEHAVIOR
PLANNING
PL-4a.
RULES OF BEHAVIOR
PLANNING
PL-4b.
RULES OF BEHAVIOR
PLANNING
PL-4c.
RULES OF BEHAVIOR
PLANNING
PL-4d.
RULES OF BEHAVIOR
PLANNING
PL-4 (1)
SOCIAL MEDIA AND NETWORKING

RESTRICTIONS
PLANNING
PL-5
PRIVACY IMPACT ASSESSMENT
PLANNING
PL-6
SECURITY-RELATED ACTIVITY PLANNING
PLANNING
PL-7
SECURITY CONCEPT OF OPERATIONS
PLANNING
PL-7a.
PLANNING
PL-7b.
PLANNING
PL-8
INFORMATION SECURITY ARCHITECTURE
PLANNING
PL-8a.
PLANNING
PL-8a.1.
PLANNING
PL-8a.2.
PLANNING
PL-8a.3.
PLANNING
PL-8b.
PLANNING
PL-8c.
PLANNING
PL-8 (1)
DEFENSE-IN-DEPTH
PLANNING
PL-8 (1)(a)
DEFENSE-IN-DEPTH
PLANNING
PL-8 (1)(b)
DEFENSE-IN-DEPTH
PLANNING
PL-8 (2)
SUPPLIER DIVERSITY
PLANNING
PL-9
CENTRAL MANAGEMENT
PERSONNEL SECURITY
PS-1
PERSONNEL SECURITY POLICY AND

PROCEDURES
PERSONNEL SECURITY
PS-1a.

PROCEDURES
PERSONNEL SECURITY
PS-1a.1.

PROCEDURES
PERSONNEL SECURITY
PS-1a.2.

PROCEDURES
PERSONNEL SECURITY
PS-1b.

PROCEDURES
PERSONNEL SECURITY
PS-1b.1.

PROCEDURES
PERSONNEL SECURITY
PS-1b.2.

PROCEDURES
PERSONNEL SECURITY
PS-2
POSITION RISK DESIGNATION
PERSONNEL SECURITY
PS-2a.
PERSONNEL SECURITY
PS-2b.
PERSONNEL SECURITY
PS-2c.
PERSONNEL SECURITY
PS-3
PERSONNEL SCREENING
PERSONNEL SECURITY
PS-3a.
PERSONNEL SCREENING
PERSONNEL SECURITY
PS-3b.
PERSONNEL SCREENING
PERSONNEL SECURITY
PS-3 (1)
PERSONNEL SECURITY
PS-3 (2)
FORMAL INDOCTRINATION
PERSONNEL SECURITY
PS-3 (3)
INFORMATION WITH SPECIAL PROTECTION

MEASURES
PERSONNEL SECURITY
PS-3 (3)(a)

MEASURES
PERSONNEL SECURITY
PS-3 (3)(b)

MEASURES
PERSONNEL SECURITY
PS-4
PERSONNEL TERMINATION
PERSONNEL SECURITY
PS-4a.
PERSONNEL SECURITY
PS-4b.
PERSONNEL SECURITY
PS-4c.
PERSONNEL SECURITY
PS-4d.
PERSONNEL SECURITY
PS-4e.
PERSONNEL SECURITY
PS-4f.
PERSONNEL SECURITY
PS-4 (1)
POST-EMPLOYMENT REQUIREMENTS
PERSONNEL SECURITY
PS-4 (1)(a)
PERSONNEL SECURITY
PS-4 (1)(b)
PERSONNEL SECURITY
PS-4 (2)
AUTOMATED NOTIFICATION
PERSONNEL SECURITY
PS-5
PERSONNEL TRANSFER
PERSONNEL SECURITY
PS-5a.
PERSONNEL TRANSFER
PERSONNEL SECURITY
PS-5b.
PERSONNEL TRANSFER
PERSONNEL SECURITY
PS-5c.
PERSONNEL TRANSFER
PERSONNEL SECURITY
PS-5d.
PERSONNEL TRANSFER
PERSONNEL SECURITY
PS-6
ACCESS AGREEMENTS
PERSONNEL SECURITY
PS-6a.
ACCESS AGREEMENTS
PERSONNEL SECURITY
PS-6b.
ACCESS AGREEMENTS
PERSONNEL SECURITY
PS-6c.
ACCESS AGREEMENTS
PERSONNEL SECURITY
PS-6c.1.
ACCESS AGREEMENTS
PERSONNEL SECURITY
PS-6c.2.
ACCESS AGREEMENTS
PERSONNEL SECURITY
PS-6 (1)
INFORMATION REQUIRING SPECIAL

PROTECTION
PERSONNEL SECURITY
PS-6 (2)
CLASSIFIED INFORMATION REQUIRING

SPECIAL PROTECTION
PERSONNEL SECURITY
PS-6 (2)(a)

SPECIAL PROTECTION
PERSONNEL SECURITY
PS-6 (2)(b)

SPECIAL PROTECTION
PERSONNEL SECURITY
PS-6 (2)(c)

SPECIAL PROTECTION
PERSONNEL SECURITY
PS-6 (3)
PERSONNEL SECURITY
PS-6 (3)(a)
PERSONNEL SECURITY
PS-6 (3)(b)
PERSONNEL SECURITY
PS-7
THIRD-PARTY PERSONNEL SECURITY
PERSONNEL SECURITY
PS-7a.
PERSONNEL SECURITY
PS-7b.
PERSONNEL SECURITY
PS-7c.
PERSONNEL SECURITY
PS-7d.
PERSONNEL SECURITY
PS-7e.
PERSONNEL SECURITY
PS-8
PERSONNEL SANCTIONS
PERSONNEL SECURITY
PS-8a.
PERSONNEL SANCTIONS
PERSONNEL SECURITY
PS-8b.
PERSONNEL SANCTIONS
RISK ASSESSMENT
RA-1
RISK ASSESSMENT POLICY AND

PROCEDURES
RISK ASSESSMENT
RA-1a.

PROCEDURES
RISK ASSESSMENT
RA-1a.1.

PROCEDURES
RISK ASSESSMENT
RA-1a.2.

PROCEDURES
RISK ASSESSMENT
RA-1b.

PROCEDURES
RISK ASSESSMENT
RA-1b.1.

PROCEDURES
RISK ASSESSMENT
RA-1b.2.

PROCEDURES
RISK ASSESSMENT
RA-2
SECURITY CATEGORIZATION
RISK ASSESSMENT
RA-2a.
RISK ASSESSMENT
RA-2b.
RISK ASSESSMENT
RA-2c.
RISK ASSESSMENT
RA-3
RISK ASSESSMENT
RISK ASSESSMENT
RA-3a.
RISK ASSESSMENT
RISK ASSESSMENT
RA-3b.
RISK ASSESSMENT
RISK ASSESSMENT
RA-3c.
RISK ASSESSMENT
RISK ASSESSMENT
RA-3d.
RISK ASSESSMENT
RISK ASSESSMENT
RA-3e.
RISK ASSESSMENT
RISK ASSESSMENT
RA-4
RISK ASSESSMENT UPDATE
RISK ASSESSMENT
RA-5
VULNERABILITY SCANNING
RISK ASSESSMENT
RA-5a.
RISK ASSESSMENT
RA-5b.
RISK ASSESSMENT
RA-5b.1.
RISK ASSESSMENT
RA-5b.2.
RISK ASSESSMENT
RA-5b.3.
RISK ASSESSMENT
RA-5c.
RISK ASSESSMENT
RA-5d.
RISK ASSESSMENT
RA-5e.
RISK ASSESSMENT
RA-5 (1)
UPDATE TOOL CAPABILITY
RISK ASSESSMENT
RA-5 (2)
UPDATE BY FREQUENCY / PRIOR TO NEW

SCAN / WHEN IDENTIFIED
RISK ASSESSMENT
RA-5 (3)
BREADTH / DEPTH OF COVERAGE
RISK ASSESSMENT
RA-5 (4)
DISCOVERABLE INFORMATION
RISK ASSESSMENT
RA-5 (5)
PRIVILEGED ACCESS
RISK ASSESSMENT
RA-5 (6)
AUTOMATED TREND ANALYSES
RISK ASSESSMENT
RA-5 (7)
AUTOMATED DETECTION AND NOTIFICATION

OF UNAUTHORIZED COMPONENTS
RISK ASSESSMENT
RA-5 (8)
REVIEW HISTORIC AUDIT LOGS
RISK ASSESSMENT
RA-5 (9)
PENETRATION TESTING AND ANALYSES
RISK ASSESSMENT
RA-5 (10)
CORRELATE SCANNING INFORMATION
RISK ASSESSMENT
RA-6
TECHNICAL SURVEILLANCE
COUNTERMEASURES SURVEY
SYSTEM AND SERVICES

ACQUISITION
SA-1
SYSTEM AND SERVICES ACQUISITION POLICY

AND PROCEDURES
SYSTEM AND SERVICES

ACQUISITION
SA-1a.

AND PROCEDURES
SYSTEM AND SERVICES

ACQUISITION
SA-1a.1.

AND PROCEDURES
SYSTEM AND SERVICES

ACQUISITION
SA-1a.2.

AND PROCEDURES
SYSTEM AND SERVICES

ACQUISITION
SA-1b.

AND PROCEDURES
SYSTEM AND SERVICES

ACQUISITION
SA-1b.1.

AND PROCEDURES
SYSTEM AND SERVICES

ACQUISITION
SA-1b.2.

AND PROCEDURES
SYSTEM AND SERVICES

ACQUISITION
SA-2
ALLOCATION OF RESOURCES
SYSTEM AND SERVICES

ACQUISITION
SA-2a.
SYSTEM AND SERVICES

ACQUISITION
SA-2b.
SYSTEM AND SERVICES

ACQUISITION
SA-2c.
SYSTEM AND SERVICES

ACQUISITION
SA-3
SYSTEM DEVELOPMENT LIFE CYCLE
SYSTEM AND SERVICES

ACQUISITION
SA-3a.
SYSTEM AND SERVICES

ACQUISITION
SA-3b.
SYSTEM AND SERVICES

ACQUISITION
SA-3c.
SYSTEM AND SERVICES

ACQUISITION
SA-3d.
SYSTEM AND SERVICES

ACQUISITION
SA-4
ACQUISITION PROCESS
SYSTEM AND SERVICES

ACQUISITION
SA-4a.
ACQUISITION PROCESS
SYSTEM AND SERVICES

ACQUISITION
SA-4b.
ACQUISITION PROCESS
SYSTEM AND SERVICES

ACQUISITION
SA-4c.
ACQUISITION PROCESS
SYSTEM AND SERVICES

ACQUISITION
SA-4d.
ACQUISITION PROCESS
SYSTEM AND SERVICES

ACQUISITION
SA-4e.
ACQUISITION PROCESS
SYSTEM AND SERVICES

ACQUISITION
SA-4f.
ACQUISITION PROCESS
SYSTEM AND SERVICES

ACQUISITION
SA-4g.
ACQUISITION PROCESS
SYSTEM AND SERVICES

ACQUISITION
SA-4 (1)
FUNCTIONAL PROPERTIES OF SECURITY

CONTROLS
SYSTEM AND SERVICES

ACQUISITION
SA-4 (2)
DESIGN / IMPLEMENTATION INFORMATION

FOR SECURITY CONTROLS
SYSTEM AND SERVICES

ACQUISITION
SA-4 (3)
DEVELOPMENT METHODS / TECHNIQUES /

PRACTICES
SYSTEM AND SERVICES

ACQUISITION
SA-4 (4)
SYSTEM AND SERVICES

ACQUISITION
SA-4 (5)
SYSTEM / COMPONENT / SERVICE

CONFIGURATIONS
SYSTEM AND SERVICES

ACQUISITION
SA-4 (5)(a)

CONFIGURATIONS
SYSTEM AND SERVICES

ACQUISITION
SA-4 (5)(b)

CONFIGURATIONS
SYSTEM AND SERVICES

ACQUISITION
SA-4 (6)
USE OF INFORMATION ASSURANCE

PRODUCTS
SYSTEM AND SERVICES

ACQUISITION
SA-4 (6)(a)

PRODUCTS
SYSTEM AND SERVICES

ACQUISITION
SA-4 (6)(b)

PRODUCTS
SYSTEM AND SERVICES

ACQUISITION
SA-4 (7)
NIAP-APPROVED PROTECTION PROFILES
SYSTEM AND SERVICES

ACQUISITION
SA-4 (7)(a)
SYSTEM AND SERVICES

ACQUISITION
SA-4 (7)(b)
SYSTEM AND SERVICES

ACQUISITION
SA-4 (8)
CONTINUOUS MONITORING PLAN
SYSTEM AND SERVICES

ACQUISITION
SA-4 (9)
FUNCTIONS / PORTS / PROTOCOLS /

SERVICES IN USE
SYSTEM AND SERVICES

ACQUISITION
SA-4 (10)
USE OF APPROVED PIV PRODUCTS
SYSTEM AND SERVICES

ACQUISITION
SA-5
INFORMATION SYSTEM DOCUMENTATION
SYSTEM AND SERVICES

ACQUISITION
SA-5a.
SYSTEM AND SERVICES

ACQUISITION
SA-5a.1.
SYSTEM AND SERVICES

ACQUISITION
SA-5a.2.
SYSTEM AND SERVICES

ACQUISITION
SA-5a.3.
SYSTEM AND SERVICES

ACQUISITION
SA-5b.
SYSTEM AND SERVICES

ACQUISITION
SA-5b.1.
SYSTEM AND SERVICES

ACQUISITION
SA-5b.2.
SYSTEM AND SERVICES

ACQUISITION
SA-5b.3.
SYSTEM AND SERVICES

ACQUISITION
SA-5c.
SYSTEM AND SERVICES

ACQUISITION
SA-5d.
SYSTEM AND SERVICES

ACQUISITION
SA-5e.
SYSTEM AND SERVICES

ACQUISITION
SA-5 (1)
FUNCTIONAL PROPERTIES OF SECURITY

CONTROLS
SYSTEM AND SERVICES

ACQUISITION
SA-5 (2)
SECURITY-RELEVANT EXTERNAL SYSTEM

INTERFACES
SYSTEM AND SERVICES

ACQUISITION
SA-5 (3)
HIGH-LEVEL DESIGN
SYSTEM AND SERVICES

ACQUISITION
SA-5 (4)
LOW-LEVEL DESIGN
SYSTEM AND SERVICES

ACQUISITION
SA-5 (5)
SOURCE CODE
SYSTEM AND SERVICES

ACQUISITION
SA-6
SYSTEM AND SERVICES

ACQUISITION
SA-7
SYSTEM AND SERVICES

ACQUISITION
SA-8
SECURITY ENGINEERING PRINCIPLES
SYSTEM AND SERVICES

ACQUISITION
SA-9
EXTERNAL INFORMATION SYSTEM SERVICES
SYSTEM AND SERVICES

ACQUISITION
SA-9a.
SYSTEM AND SERVICES

ACQUISITION
SA-9b.
SYSTEM AND SERVICES

ACQUISITION
SA-9c.
SYSTEM AND SERVICES

ACQUISITION
SA-9 (1)
RISK ASSESSMENTS / ORGANIZATIONAL

APPROVALS
SYSTEM AND SERVICES

ACQUISITION
SA-9 (1)(a)

APPROVALS
SYSTEM AND SERVICES

ACQUISITION
SA-9 (1)(b)

APPROVALS
SYSTEM AND SERVICES

ACQUISITION
SA-9 (2)
IDENTIFICATION OF FUNCTIONS / PORTS /

PROTOCOLS / SERVICES
SYSTEM AND SERVICES

ACQUISITION
SA-9 (3)
ESTABLISH / MAINTAIN TRUST RELATIONSHIP

WITH PROVIDERS
SYSTEM AND SERVICES

ACQUISITION
SA-9 (4)
CONSISTENT INTERESTS OF CONSUMERS

AND PROVIDERS
SYSTEM AND SERVICES

ACQUISITION
SA-9 (5)
PROCESSING, STORAGE, AND SERVICE

LOCATION
SYSTEM AND SERVICES

ACQUISITION
SA-10
DEVELOPER CONFIGURATION MANAGEMENT
SYSTEM AND SERVICES

ACQUISITION
SA-10a.
SYSTEM AND SERVICES

ACQUISITION
SA-10b.
SYSTEM AND SERVICES

ACQUISITION
SA-10c.
SYSTEM AND SERVICES

ACQUISITION
SA-10d.
SYSTEM AND SERVICES

ACQUISITION
SA-10e.
SYSTEM AND SERVICES

ACQUISITION
SA-10 (1)
SOFTWARE / FIRMWARE INTEGRITY

VERIFICATION
SYSTEM AND SERVICES

ACQUISITION
SA-10 (2)
ALTERNATIVE CONFIGURATION
MANAGEMENT PROCESSES
SYSTEM AND SERVICES

ACQUISITION
SA-10 (3)
HARDWARE INTEGRITY VERIFICATION
SYSTEM AND SERVICES

ACQUISITION
SA-10 (4)
TRUSTED GENERATION
SYSTEM AND SERVICES

ACQUISITION
SA-10 (5)
MAPPING INTEGRITY FOR VERSION CONTROL
SYSTEM AND SERVICES

ACQUISITION
SA-10 (6)
TRUSTED DISTRIBUTION
SYSTEM AND SERVICES

ACQUISITION
SA-11
DEVELOPER SECURITY TESTING AND

EVALUATION
SYSTEM AND SERVICES

ACQUISITION
SA-11a.

EVALUATION
SYSTEM AND SERVICES

ACQUISITION
SA-11b.

EVALUATION
SYSTEM AND SERVICES

ACQUISITION
SA-11c.

EVALUATION
SYSTEM AND SERVICES

ACQUISITION
SA-11d.

EVALUATION
SYSTEM AND SERVICES

ACQUISITION
SA-11e.

EVALUATION
SYSTEM AND SERVICES

ACQUISITION
SA-11 (1)
STATIC CODE ANALYSIS
SYSTEM AND SERVICES

ACQUISITION
SA-11 (2)
THREAT AND VULNERABILITY ANALYSES
SYSTEM AND SERVICES

ACQUISITION
SA-11 (3)
INDEPENDENT VERIFICATION OF
ASSESSMENT PLANS / EVIDENCE
SYSTEM AND SERVICES

ACQUISITION
SA-11 (3)(a)
SYSTEM AND SERVICES

ACQUISITION
SA-11 (3)(b)
SYSTEM AND SERVICES

ACQUISITION
SA-11 (4)
MANUAL CODE REVIEWS
SYSTEM AND SERVICES

ACQUISITION
SA-11 (5)
PENETRATION TESTING
SYSTEM AND SERVICES

ACQUISITION
SA-11 (6)
ATTACK SURFACE REVIEWS
SYSTEM AND SERVICES

ACQUISITION
SA-11 (7)
VERIFY SCOPE OF TESTING / EVALUATION
SYSTEM AND SERVICES

ACQUISITION
SA-11 (8)
DYNAMIC CODE ANALYSIS
SYSTEM AND SERVICES

ACQUISITION
SA-12
SUPPLY CHAIN PROTECTION
SYSTEM AND SERVICES

ACQUISITION
SA-12 (1)
ACQUISITION STRATEGIES / TOOLS /

METHODS
SYSTEM AND SERVICES

ACQUISITION
SA-12 (2)
SUPPLIER REVIEWS
SYSTEM AND SERVICES

ACQUISITION
SA-12 (3)
TRUSTED SHIPPING AND WAREHOUSING
SYSTEM AND SERVICES

ACQUISITION
SA-12 (4)
DIVERSITY OF SUPPLIERS
SYSTEM AND SERVICES

ACQUISITION
SA-12 (5)
LIMITATION OF HARM
SYSTEM AND SERVICES

ACQUISITION
SA-12 (6)
MINIMIZING PROCUREMENT TIME
SYSTEM AND SERVICES

ACQUISITION
SA-12 (7)
ASSESSMENTS PRIOR TO SELECTION /

ACCEPTANCE / UPDATE
SYSTEM AND SERVICES

ACQUISITION
SA-12 (8)
USE OF ALL-SOURCE INTELLIGENCE
SYSTEM AND SERVICES

ACQUISITION
SA-12 (9)
OPERATIONS SECURITY
SYSTEM AND SERVICES

ACQUISITION
SA-12 (10)
VALIDATE AS GENUINE AND NOT ALTERED
SYSTEM AND SERVICES

ACQUISITION
SA-12 (11)
PENETRATION TESTING / ANALYSIS OF

ELEMENTS, PROCESSES, AND ACTORS
SYSTEM AND SERVICES

ACQUISITION
SA-12 (12)
INTER-ORGANIZATIONAL AGREEMENTS
SYSTEM AND SERVICES

ACQUISITION
SA-12 (13)
CRITICAL INFORMATION SYSTEM

COMPONENTS
SYSTEM AND SERVICES

ACQUISITION
SA-12 (14)
IDENTITY AND TRACEABILITY
SYSTEM AND SERVICES

ACQUISITION
SA-12 (15)
PROCESSES TO ADDRESS WEAKNESSES OR

DEFICIENCIES
SYSTEM AND SERVICES

ACQUISITION
SA-13
TRUSTWORTHINESS
SYSTEM AND SERVICES

ACQUISITION
SA-13a.
TRUSTWORTHINESS
SYSTEM AND SERVICES

ACQUISITION
SA-13b.
TRUSTWORTHINESS
SYSTEM AND SERVICES

ACQUISITION
SA-14
CRITICALITY ANALYSIS
SYSTEM AND SERVICES

ACQUISITION
SA-14 (1)
CRITICAL COMPONENTS WITH NO VIABLE

ALTERNATIVE SOURCING
SYSTEM AND SERVICES

ACQUISITION
SA-15
DEVELOPMENT PROCESS, STANDARDS, AND

TOOLS
SYSTEM AND SERVICES

ACQUISITION
SA-15a.

TOOLS
SYSTEM AND SERVICES

ACQUISITION
SA-15a.1.

TOOLS
SYSTEM AND SERVICES

ACQUISITION
SA-15a.2.

TOOLS
SYSTEM AND SERVICES

ACQUISITION
SA-15a.3.

TOOLS
SYSTEM AND SERVICES

ACQUISITION
SA-15a.4.

TOOLS
SYSTEM AND SERVICES

ACQUISITION
SA-15b.

TOOLS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (1)
QUALITY METRICS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (1)(a)
QUALITY METRICS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (1)(b)
QUALITY METRICS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (2)
SECURITY TRACKING TOOLS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (3)
CRITICALITY ANALYSIS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (4)
THREAT MODELING / VULNERABILITY

ANALYSIS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (4)(a)

ANALYSIS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (4)(b)

ANALYSIS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (4)(c)

ANALYSIS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (5)
ATTACK SURFACE REDUCTION
SYSTEM AND SERVICES

ACQUISITION
SA-15 (6)
CONTINUOUS IMPROVEMENT
SYSTEM AND SERVICES

ACQUISITION
SA-15 (7)
AUTOMATED VULNERABILITY ANALYSIS
SYSTEM AND SERVICES

ACQUISITION
SA-15 (7)(a)
SYSTEM AND SERVICES

ACQUISITION
SA-15 (7)(b)
SYSTEM AND SERVICES

ACQUISITION
SA-15 (7)(c)
SYSTEM AND SERVICES

ACQUISITION
SA-15 (7)(d)
SYSTEM AND SERVICES

ACQUISITION
SA-15 (8)
REUSE OF THREAT / VULNERABILITY

INFORMATION
SYSTEM AND SERVICES

ACQUISITION
SA-15 (9)
USE OF LIVE DATA
SYSTEM AND SERVICES

ACQUISITION
SA-15 (10)
SYSTEM AND SERVICES

ACQUISITION
SA-15 (11)
ARCHIVE INFORMATION SYSTEM /

COMPONENT
SYSTEM AND SERVICES

ACQUISITION
SA-16
DEVELOPER-PROVIDED TRAINING
SYSTEM AND SERVICES

ACQUISITION
SA-17
DEVELOPER SECURITY ARCHITECTURE AND

DESIGN
SYSTEM AND SERVICES

ACQUISITION
SA-17a.

DESIGN
SYSTEM AND SERVICES

ACQUISITION
SA-17b.

DESIGN
SYSTEM AND SERVICES

ACQUISITION
SA-17c.

DESIGN
SYSTEM AND SERVICES

ACQUISITION
SA-17 (1)
FORMAL POLICY MODEL
SYSTEM AND SERVICES

ACQUISITION
SA-17 (1)(a)
FORMAL POLICY MODEL
SYSTEM AND SERVICES

ACQUISITION
SA-17 (1)(b)
FORMAL POLICY MODEL
SYSTEM AND SERVICES

ACQUISITION
SA-17 (2)
SECURITY-RELEVANT COMPONENTS
SYSTEM AND SERVICES

ACQUISITION
SA-17 (2)(a)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (2)(b)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (3)
FORMAL CORRESPONDENCE
SYSTEM AND SERVICES

ACQUISITION
SA-17 (3)(a)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (3)(b)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (3)(c)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (3)(d)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (3)(e)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (4)
INFORMAL CORRESPONDENCE
SYSTEM AND SERVICES

ACQUISITION
SA-17 (4)(a)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (4)(b)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (4)(c)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (4)(d)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (4)(e)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (5)
CONCEPTUALLY SIMPLE DESIGN
SYSTEM AND SERVICES

ACQUISITION
SA-17 (5)(a)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (5)(b)
SYSTEM AND SERVICES

ACQUISITION
SA-17 (6)
STRUCTURE FOR TESTING
SYSTEM AND SERVICES

ACQUISITION
SA-17 (7)
STRUCTURE FOR LEAST PRIVILEGE
SYSTEM AND SERVICES

ACQUISITION
SA-18
TAMPER RESISTANCE AND DETECTION
SYSTEM AND SERVICES

ACQUISITION
SA-18 (1)
MULTIPLE PHASES OF SDLC
SYSTEM AND SERVICES

ACQUISITION
SA-18 (2)
INSPECTION OF INFORMATION SYSTEMS,

COMPONENTS, OR DEVICES
SYSTEM AND SERVICES

ACQUISITION
SA-19
COMPONENT AUTHENTICITY
SYSTEM AND SERVICES

ACQUISITION
SA-19a.
SYSTEM AND SERVICES

ACQUISITION
SA-19b.
SYSTEM AND SERVICES

ACQUISITION
SA-19 (1)
ANTI-COUNTERFEIT TRAINING
SYSTEM AND SERVICES

ACQUISITION
SA-19 (2)
CONFIGURATION CONTROL FOR

COMPONENT SERVICE / REPAIR
SYSTEM AND SERVICES

ACQUISITION
SA-19 (3)
COMPONENT DISPOSAL
SYSTEM AND SERVICES

ACQUISITION
SA-19 (4)
ANTI-COUNTERFEIT SCANNING
SYSTEM AND SERVICES

ACQUISITION
SA-20
CUSTOMIZED DEVELOPMENT OF CRITICAL

COMPONENTS
SYSTEM AND SERVICES

ACQUISITION
SA-21
DEVELOPER SCREENING
SYSTEM AND SERVICES

ACQUISITION
SA-21a.
DEVELOPER SCREENING
SYSTEM AND SERVICES

ACQUISITION
SA-21b.
DEVELOPER SCREENING
SYSTEM AND SERVICES

ACQUISITION
SA-21 (1)
VALIDATION OF SCREENING
SYSTEM AND SERVICES

ACQUISITION
SA-22
UNSUPPORTED SYSTEM COMPONENTS
SYSTEM AND SERVICES

ACQUISITION
SA-22a.
SYSTEM AND SERVICES

ACQUISITION
SA-22b.
SYSTEM AND SERVICES

ACQUISITION
SA-22 (1)
ALTERNATIVE SOURCES FOR CONTINUED

SUPPORT
SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-1
SYSTEM AND COMMUNICATIONS

SC-1a.
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-1a.1.
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-1a.2.
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-1b.

COMMUNICATIONS
PROTECTION
SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-1b.1.

SC-1b.2.
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-2
APPLICATION PARTITIONING
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-2 (1)
INTERFACES FOR NON-PRIVILEGED USERS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-3
SECURITY FUNCTION ISOLATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-3 (1)
HARDWARE SEPARATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-3 (2)
ACCESS / FLOW CONTROL FUNCTIONS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-3 (3)
MINIMIZE NONSECURITY FUNCTIONALITY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-3 (4)
MODULE COUPLING AND COHESIVENESS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-3 (5)
LAYERED STRUCTURES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-4
INFORMATION IN SHARED RESOURCES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-4 (1)
SECURITY LEVELS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-4 (2)
PERIODS PROCESSING
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-5
DENIAL OF SERVICE PROTECTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-5 (1)
RESTRICT INTERNAL USERS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-5 (2)
COMMUNICATIONS
PROTECTION
SYSTEM AND
EXCESS CAPACITY / BANDWIDTH /

REDUNDANCY
SC-5 (3)
DETECTION / MONITORING
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-5 (3)(a)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-5 (3)(b)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-6
RESOURCE AVAILABILITY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7
BOUNDARY PROTECTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7a.
BOUNDARY PROTECTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7b.
BOUNDARY PROTECTION
SC-7c.
BOUNDARY PROTECTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (1)
PHYSICALLY SEPARATED SUBNETWORKS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (2)
PUBLIC ACCESS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (3)
ACCESS POINTS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (4)
EXTERNAL TELECOMMUNICATIONS SERVICES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (4)(a)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (4)(b)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (4)(c)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (4)(d)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (4)(e)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (5)
DENY BY DEFAULT / ALLOW BY EXCEPTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (6)
RESPONSE TO RECOGNIZED FAILURES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (7)
COMMUNICATIONS
PROTECTION
SYSTEM AND
PREVENT SPLIT TUNNELING FOR REMOTE

DEVICES
SC-7 (8)
COMMUNICATIONS
PROTECTION
SYSTEM AND
ROUTE TRAFFIC TO AUTHENTICATED PROXY

SERVERS
SC-7 (9)
COMMUNICATIONS
PROTECTION
SYSTEM AND
RESTRICT THREATENING OUTGOING

COMMUNICATIONS TRAFFIC
SC-7 (9)(a)
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (9)(b)
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (10)
PREVENT UNAUTHORIZED EXFILTRATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (11)
COMMUNICATIONS
PROTECTION
SYSTEM AND
RESTRICT INCOMING COMMUNICATIONS

TRAFFIC
SC-7 (12)
HOST-BASED PROTECTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (13)
ISOLATION OF SECURITY TOOLS /

MECHANISMS / SUPPORT COMPONENTS
COMMUNICATIONS
PROTECTION
SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (14)
PROTECTS AGAINST UNAUTHORIZED

PHYSICAL CONNECTIONS
SC-7 (15)
ROUTE PRIVILEGED NETWORK ACCESSES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (16)
COMMUNICATIONS
PROTECTION
SYSTEM AND
PREVENT DISCOVERY OF COMPONENTS /

DEVICES
SC-7 (17)
COMMUNICATIONS
PROTECTION
SYSTEM AND
AUTOMATED ENFORCEMENT OF PROTOCOL

FORMATS
SC-7 (18)
FAIL SECURE
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (19)
COMMUNICATIONS
PROTECTION
SYSTEM AND
BLOCKS COMMUNICATION FROM NONORGANIZATIONALLY CONFIGURED HOSTS
SC-7 (20)
DYNAMIC ISOLATION / SEGREGATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-7 (21)
COMMUNICATIONS
PROTECTION
SYSTEM AND
ISOLATION OF INFORMATION SYSTEM

COMPONENTS
SC-7 (22)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SEPARATE SUBNETS FOR CONNECTING TO

DIFFERENT SECURITY DOMAINS
SC-7 (23)
COMMUNICATIONS
PROTECTION
SYSTEM AND
DISABLE SENDER FEEDBACK ON PROTOCOL

VALIDATION FAILURE
SC-8
COMMUNICATIONS
PROTECTION
SYSTEM AND
TRANSMISSION CONFIDENTIALITY AND

INTEGRITY
SC-8 (1)
COMMUNICATIONS
PROTECTION
SYSTEM AND
CRYPTOGRAPHIC OR ALTERNATE PHYSICAL

PROTECTION
SC-8 (2)
PRE / POST TRANSMISSION HANDLING
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-8 (3)
COMMUNICATIONS
PROTECTION
SYSTEM AND
CRYPTOGRAPHIC PROTECTION FOR

MESSAGE EXTERNALS
SC-8 (4)
CONCEAL / RANDOMIZE COMMUNICATIONS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-9
TRANSMISSION CONFIDENTIALITY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-10
NETWORK DISCONNECT
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-11
TRUSTED PATH
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-11 (1)
LOGICAL ISOLATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-12
COMMUNICATIONS
PROTECTION
SYSTEM AND
CRYPTOGRAPHIC KEY ESTABLISHMENT AND

MANAGEMENT
SC-12 (1)
AVAILABILITY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-12 (2)
SYMMETRIC KEYS
COMMUNICATIONS
PROTECTION
SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-12 (3)
ASYMMETRIC KEYS
SC-12 (4)
PKI CERTIFICATES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-12 (5)
PKI CERTIFICATES / HARDWARE TOKENS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-13
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-13 (1)
FIPS-VALIDATED CRYPTOGRAPHY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-13 (2)
NSA-APPROVED CRYPTOGRAPHY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-13 (3)
COMMUNICATIONS
PROTECTION
SYSTEM AND
INDIVIDUALS WITHOUT FORMAL ACCESS

APPROVALS
SC-13 (4)
DIGITAL SIGNATURES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-14
PUBLIC ACCESS PROTECTIONS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-15
COLLABORATIVE COMPUTING DEVICES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-15a.
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-15b.
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-15 (1)
PHYSICAL DISCONNECT
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-15 (2)
COMMUNICATIONS
PROTECTION
SYSTEM AND
BLOCKING INBOUND / OUTBOUND

SC-15 (3)
COMMUNICATIONS
PROTECTION
SYSTEM AND
DISABLING / REMOVAL IN SECURE WORK

AREAS
SC-15 (4)
COMMUNICATIONS
PROTECTION
SYSTEM AND
EXPLICITLY INDICATE CURRENT

PARTICIPANTS
SC-16
TRANSMISSION OF SECURITY ATTRIBUTES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-16 (1)
INTEGRITY VALIDATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-17
PUBLIC KEY INFRASTRUCTURE CERTIFICATES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-18
MOBILE CODE
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-18a.
MOBILE CODE
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-18b.
MOBILE CODE
COMMUNICATIONS
PROTECTION
SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-18c.
MOBILE CODE
SC-18 (1)
COMMUNICATIONS
PROTECTION
SYSTEM AND
IDENTIFY UNACCEPTABLE CODE / TAKE

CORRECTIVE ACTIONS
SC-18 (2)
ACQUISITION / DEVELOPMENT / USE
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-18 (3)
PREVENT DOWNLOADING / EXECUTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-18 (4)
PREVENT AUTOMATIC EXECUTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-18 (5)
COMMUNICATIONS
PROTECTION
SYSTEM AND
ALLOW EXECUTION ONLY IN CONFINED

ENVIRONMENTS
SC-19
VOICE OVER INTERNET PROTOCOL
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-19a.
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-19b.
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-20
COMMUNICATIONS
PROTECTION
SYSTEM AND
SECURE NAME / ADDRESS RESOLUTION

SERVICE (AUTHORITATIVE SOURCE)
SC-20a.
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-20b.
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-20 (1)
CHILD SUBSPACES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-20 (2)
DATA ORIGIN / INTEGRITY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-21
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-21 (1)

SERVICE (RECURSIVE OR CACHING
RESOLVER)
DATA ORIGIN / INTEGRITY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-22
COMMUNICATIONS
PROTECTION
SYSTEM AND
ARCHITECTURE AND PROVISIONING FOR

NAME / ADDRESS RESOLUTION SERVICE
SC-23
SESSION AUTHENTICITY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-23 (1)
COMMUNICATIONS
PROTECTION
SYSTEM AND
INVALIDATE SESSION IDENTIFIERS AT

LOGOUT
SC-23 (2)
COMMUNICATIONS
PROTECTION
SYSTEM AND

DISPLAYS
SC-23 (3)
COMMUNICATIONS
PROTECTION
SYSTEM AND
UNIQUE SESSION IDENTIFIERS WITH

RANDOMIZATION
SC-23 (4)
UNIQUE SESSION IDENTIFIERS WITH

RANDOMIZATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-23 (5)
ALLOWED CERTIFICATE AUTHORITIES
SC-24
FAIL IN KNOWN STATE
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-25
THIN NODES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-26
HONEYPOTS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-26 (1)
DETECTION OF MALICIOUS CODE
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-27
PLATFORM-INDEPENDENT APPLICATIONS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-28
PROTECTION OF INFORMATION AT REST
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-28 (1)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-28 (2)
OFF-LINE STORAGE
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-29
HETEROGENEITY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-29 (1)
VIRTUALIZATION TECHNIQUES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-30
CONCEALMENT AND MISDIRECTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-30 (1)
VIRTUALIZATION TECHNIQUES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-30 (2)
RANDOMNESS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-30 (3)
COMMUNICATIONS
PROTECTION
SYSTEM AND
CHANGE PROCESSING / STORAGE

LOCATIONS
SC-30 (4)
MISLEADING INFORMATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-30 (5)
CONCEALMENT OF SYSTEM COMPONENTS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-31
COVERT CHANNEL ANALYSIS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-31a.
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-31b.
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-31 (1)
COMMUNICATIONS
PROTECTION
SYSTEM AND
TEST COVERT CHANNELS FOR

EXPLOITABILITY
SC-31 (2)
MAXIMUM BANDWIDTH
COMMUNICATIONS
PROTECTION
SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-31 (3)
MEASURE BANDWIDTH IN OPERATIONAL

ENVIRONMENTS
SC-32
INFORMATION SYSTEM PARTITIONING
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-33
TRANSMISSION PREPARATION INTEGRITY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-34
NON-MODIFIABLE EXECUTABLE PROGRAMS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-34a.
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-34b.
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-34 (1)
NO WRITABLE STORAGE
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-34 (2)
INTEGRITY PROTECTION / READ-ONLY MEDIA
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-34 (3)
HARDWARE-BASED PROTECTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-34 (3)(a)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-34 (3)(b)
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-35
HONEYCLIENTS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-36
DISTRIBUTED PROCESSING AND STORAGE
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-36 (1)
POLLING TECHNIQUES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-37
OUT-OF-BAND CHANNELS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-37 (1)
ENSURE DELIVERY / TRANSMISSION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-38
OPERATIONS SECURITY
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-39
PROCESS ISOLATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-39 (1)
HARDWARE SEPARATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-39 (2)
THREAD ISOLATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-40
WIRELESS LINK PROTECTION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-40 (1)
ELECTROMAGNETIC INTERFERENCE
COMMUNICATIONS
PROTECTION
SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-40 (2)
REDUCE DETECTION POTENTIAL
SC-40 (3)
COMMUNICATIONS
PROTECTION
SYSTEM AND
IMITATIVE OR MANIPULATIVE
COMMUNICATIONS DECEPTION
SC-40 (4)
SIGNAL PARAMETER IDENTIFICATION
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-41
PORT AND I/O DEVICE ACCESS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-42
SENSOR CAPABILITY AND DATA
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-42a.
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-42b.
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-42 (1)
COMMUNICATIONS
PROTECTION
SYSTEM AND
REPORTING TO AUTHORIZED INDIVIDUALS

OR ROLES
SC-42 (2)
AUTHORIZED USE
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-42 (3)
PROHIBIT USE OF DEVICES
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-43
USAGE RESTRICTIONS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-43a.
USAGE RESTRICTIONS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-43b.
USAGE RESTRICTIONS
COMMUNICATIONS
PROTECTION
SYSTEM AND
SC-44
DETONATION CHAMBERS
COMMUNICATIONS
PROTECTION
SYSTEM AND INFORMATION SI-1
INTEGRITY
SYSTEM AND INFORMATION INTEGRITY

SYSTEM AND INFORMATION SI-1a.

INTEGRITY

SYSTEM AND INFORMATION SI-1a.1.

INTEGRITY


INTEGRITY

SYSTEM AND INFORMATION SI-1b.

INTEGRITY

SYSTEM AND INFORMATION SI-1b.1.

INTEGRITY

SYSTEM AND INFORMATION SI-1b.2.

INTEGRITY


INTEGRITY
FLAW REMEDIATION

INTEGRITY
FLAW REMEDIATION

INTEGRITY
FLAW REMEDIATION
SYSTEM AND INFORMATION SI-2c.

INTEGRITY
FLAW REMEDIATION
SYSTEM AND INFORMATION SI-2d.

INTEGRITY
FLAW REMEDIATION
SYSTEM AND INFORMATION SI-2 (1)

INTEGRITY
CENTRAL MANAGEMENT

INTEGRITY
AUTOMATED FLAW REMEDIATION STATUS

INTEGRITY
TIME TO REMEDIATE FLAWS / BENCHMARKS

FOR CORRECTIVE ACTIONS
SYSTEM AND INFORMATION SI-2 (3)(a)

INTEGRITY

SYSTEM AND INFORMATION SI-2 (3)(b)

INTEGRITY


INTEGRITY
AUTOMATED PATCH MANAGEMENT TOOLS

INTEGRITY
AUTOMATIC SOFTWARE / FIRMWARE

UPDATES

INTEGRITY
REMOVAL OF PREVIOUS VERSIONS OF

SOFTWARE / FIRMWARE

INTEGRITY
MALICIOUS CODE PROTECTION

INTEGRITY

INTEGRITY

INTEGRITY
SYSTEM AND INFORMATION SI-3c.1.

INTEGRITY

INTEGRITY

INTEGRITY

INTEGRITY
CENTRAL MANAGEMENT

INTEGRITY
AUTOMATIC UPDATES

INTEGRITY
NON-PRIVILEGED USERS

INTEGRITY
UPDATES ONLY BY PRIVILEGED USERS

INTEGRITY
PORTABLE STORAGE DEVICES

INTEGRITY
TESTING / VERIFICATION

INTEGRITY

INTEGRITY

INTEGRITY
NONSIGNATURE-BASED DETECTION

INTEGRITY
DETECT UNAUTHORIZED COMMANDS

INTEGRITY
AUTHENTICATE REMOTE COMMANDS

INTEGRITY
MALICIOUS CODE ANALYSIS

INTEGRITY

INTEGRITY

INTEGRITY
INFORMATION SYSTEM MONITORING

INTEGRITY

INTEGRITY

INTEGRITY

INTEGRITY

INTEGRITY

INTEGRITY

INTEGRITY

INTEGRITY
SYSTEM AND INFORMATION SI-4e.

INTEGRITY
SYSTEM AND INFORMATION SI-4f.

INTEGRITY
SYSTEM AND INFORMATION SI-4g.

INTEGRITY

INTEGRITY
SYSTEM-WIDE INTRUSION DETECTION

SYSTEM

INTEGRITY
AUTOMATED TOOLS FOR REAL-TIME

ANALYSIS

INTEGRITY
AUTOMATED TOOL INTEGRATION

INTEGRITY
INBOUND AND OUTBOUND


INTEGRITY
SYSTEM-GENERATED ALERTS

INTEGRITY
RESTRICT NON-PRIVILEGED USERS

INTEGRITY
AUTOMATED RESPONSE TO SUSPICIOUS

EVENTS

INTEGRITY
PROTECTION OF MONITORING INFORMATION

INTEGRITY
TESTING OF MONITORING TOOLS

INTEGRITY
VISIBILITY OF ENCRYPTED COMMUNICATIONS

INTEGRITY
ANALYZE COMMUNICATIONS TRAFFIC

ANOMALIES

INTEGRITY
AUTOMATED ALERTS

INTEGRITY
ANALYZE TRAFFIC / EVENT PATTERNS

INTEGRITY

INTEGRITY
SYSTEM AND INFORMATION SI-4 (13)(c)

INTEGRITY

INTEGRITY
WIRELESS INTRUSION DETECTION

INTEGRITY
WIRELESS TO WIRELINE COMMUNICATIONS

INTEGRITY
CORRELATE MONITORING INFORMATION

INTEGRITY
INTEGRATED SITUATIONAL AWARENESS

INTEGRITY
ANALYZE TRAFFIC / COVERT EXFILTRATION

INTEGRITY
INDIVIDUALS POSING GREATER RISK

INTEGRITY
PRIVILEGED USERS

INTEGRITY
PROBATIONARY PERIODS

INTEGRITY
UNAUTHORIZED NETWORK SERVICES

INTEGRITY
HOST-BASED DEVICES

INTEGRITY
INDICATORS OF COMPROMISE

INTEGRITY
SECURITY ALERTS, ADVISORIES, AND

DIRECTIVES

INTEGRITY

DIRECTIVES

INTEGRITY

DIRECTIVES

INTEGRITY

DIRECTIVES

INTEGRITY

DIRECTIVES

INTEGRITY
AUTOMATED ALERTS AND ADVISORIES

INTEGRITY
SECURITY FUNCTION VERIFICATION

INTEGRITY

INTEGRITY

INTEGRITY

INTEGRITY

INTEGRITY
NOTIFICATION OF FAILED SECURITY TESTS

INTEGRITY
AUTOMATION SUPPORT FOR DISTRIBUTED

TESTING

INTEGRITY
REPORT VERIFICATION RESULTS

INTEGRITY
SOFTWARE, FIRMWARE, AND INFORMATION

INTEGRITY

INTEGRITY
INTEGRITY CHECKS

INTEGRITY
AUTOMATED NOTIFICATIONS OF INTEGRITY

VIOLATIONS

INTEGRITY
CENTRALLY-MANAGED INTEGRITY TOOLS

INTEGRITY
TAMPER-EVIDENT PACKAGING

INTEGRITY
AUTOMATED RESPONSE TO INTEGRITY

VIOLATIONS

INTEGRITY

INTEGRITY
INTEGRATION OF DETECTION AND

RESPONSE

INTEGRITY
AUDITING CAPABILITY FOR SIGNIFICANT

EVENTS

INTEGRITY
VERIFY BOOT PROCESS

INTEGRITY
PROTECTION OF BOOT FIRMWARE

INTEGRITY
CONFINED ENVIRONMENTS WITH LIMITED

PRIVILEGES

INTEGRITY
INTEGRITY VERIFICATION

INTEGRITY
CODE EXECUTION IN PROTECTED

ENVIRONMENTS

INTEGRITY
BINARY OR MACHINE EXECUTABLE CODE

INTEGRITY

INTEGRITY

INTEGRITY
CODE AUTHENTICATION

INTEGRITY
TIME LIMIT ON PROCESS EXECUTION W/O

SUPERVISION

INTEGRITY
SPAM PROTECTION

INTEGRITY
SPAM PROTECTION

INTEGRITY
SPAM PROTECTION

INTEGRITY
CENTRAL MANAGEMENT

INTEGRITY
AUTOMATIC UPDATES

INTEGRITY
CONTINUOUS LEARNING CAPABILITY

INTEGRITY
INFORMATION INPUT RESTRICTIONS

INTEGRITY
INFORMATION INPUT VALIDATION

INTEGRITY
MANUAL OVERRIDE CAPABILITY

INTEGRITY

INTEGRITY
SYSTEM AND INFORMATION SI-10 (1)(c)

INTEGRITY

INTEGRITY
REVIEW / RESOLUTION OF ERRORS

INTEGRITY
PREDICTABLE BEHAVIOR

INTEGRITY
REVIEW / TIMING INTERACTIONS

INTEGRITY
RESTRICT INPUTS TO TRUSTED SOURCES

AND APPROVED FORMATS

INTEGRITY
ERROR HANDLING

INTEGRITY
ERROR HANDLING

INTEGRITY
ERROR HANDLING

INTEGRITY
INFORMATION HANDLING AND RETENTION

INTEGRITY
PREDICTABLE FAILURE PREVENTION

INTEGRITY

INTEGRITY

INTEGRITY
TRANSFERRING COMPONENT
RESPONSIBILITIES

INTEGRITY
TIME LIMIT ON PROCESS EXECUTION

WITHOUT SUPERVISION

INTEGRITY
MANUAL TRANSFER BETWEEN COMPONENTS

INTEGRITY
STANDBY COMPONENT INSTALLATION /

NOTIFICATION

INTEGRITY

NOTIFICATION

INTEGRITY

NOTIFICATION

INTEGRITY
FAILOVER CAPABILITY

INTEGRITY
NON-PERSISTENCE

INTEGRITY
REFRESH FROM TRUSTED SOURCES

INTEGRITY
INFORMATION OUTPUT FILTERING

INTEGRITY
MEMORY PROTECTION

INTEGRITY
FAIL-SAFE PROCEDURES
PROGRAM MANAGEMENT
PM-1
INFORMATION SECURITY PROGRAM PLAN
PROGRAM MANAGEMENT
PM-1a.
PROGRAM MANAGEMENT
PM-1a.1.
PROGRAM MANAGEMENT
PM-1a.2.
PROGRAM MANAGEMENT
PM-1a.3.
PROGRAM MANAGEMENT
PM-1a.4.
PROGRAM MANAGEMENT
PM-1b.
PROGRAM MANAGEMENT
PM-1c.
PROGRAM MANAGEMENT
PM-1d.
PROGRAM MANAGEMENT
PM-2
SENIOR INFORMATION SECURITY OFFICER
PROGRAM MANAGEMENT
PM-3
INFORMATION SECURITY RESOURCES
PROGRAM MANAGEMENT
PM-3a.
PROGRAM MANAGEMENT
PM-3b.
PROGRAM MANAGEMENT
PM-3c.
PROGRAM MANAGEMENT
PM-4

PROCESS
PROGRAM MANAGEMENT
PM-4a.

PROCESS
PROGRAM MANAGEMENT
PM-4a.1.

PROCESS
PROGRAM MANAGEMENT
PM-4a.2.

PROCESS
PROGRAM MANAGEMENT
PM-4a.3.

PROCESS
PROGRAM MANAGEMENT
PM-4b.

PROCESS
PROGRAM MANAGEMENT
PM-5
INFORMATION SYSTEM INVENTORY
PROGRAM MANAGEMENT
PM-6
INFORMATION SECURITY MEASURES OF

PERFORMANCE
PROGRAM MANAGEMENT
PM-7
ENTERPRISE ARCHITECTURE
PROGRAM MANAGEMENT
PM-8
CRITICAL INFRASTRUCTURE PLAN
PROGRAM MANAGEMENT
PM-9
RISK MANAGEMENT STRATEGY
PROGRAM MANAGEMENT
PM-9a.
PROGRAM MANAGEMENT
PM-9b.
PROGRAM MANAGEMENT
PM-9c.
PROGRAM MANAGEMENT
PM-10
SECURITY AUTHORIZATION PROCESS
PROGRAM MANAGEMENT
PM-10a.
PROGRAM MANAGEMENT
PM-10b.
PROGRAM MANAGEMENT
PM-10c.
PROGRAM MANAGEMENT
PM-11
MISSION/BUSINESS PROCESS DEFINITION
PROGRAM MANAGEMENT
PM-11a.
PROGRAM MANAGEMENT
PM-11b.
PROGRAM MANAGEMENT
PM-12
INSIDER THREAT PROGRAM
PROGRAM MANAGEMENT
PM-13
INFORMATION SECURITY WORKFORCE
PROGRAM MANAGEMENT
PM-14
TESTING, TRAINING, AND MONITORING
PROGRAM MANAGEMENT
PM-14a.
PROGRAM MANAGEMENT
PM-14a.1.
PROGRAM MANAGEMENT
PM-14a.2.
PROGRAM MANAGEMENT
PM-14b.
PROGRAM MANAGEMENT
PM-15

ASSOCIATIONS
PROGRAM MANAGEMENT
PM-15a.

ASSOCIATIONS
PROGRAM MANAGEMENT
PM-15b.

ASSOCIATIONS
PROGRAM MANAGEMENT
PM-15c.

ASSOCIATIONS
PROGRAM MANAGEMENT
PM-16
THREAT AWARENESS PROGRAM
PRIORITY
BASELINE-IMPACT
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P3
HIGH
P3
MODERATE,HIGH
P3
MODERATE,HIGH
P3
MODERATE,HIGH
P3
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P2
MODERATE,HIGH
P3
MODERATE,HIGH
P4
MODERATE,HIGH
P5
MODERATE,HIGH
P6
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
MODERATE,HIGH
P2
HIGH
P2
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
HIGH
P2
HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
P1
P1
P1
P1
P1
P1
LOW,MODERATE,HIGH
P1
P1
P1
P1
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE
P1
MODERATE
P1
MODERATE
P1
MODERATE
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
HIGH
P2
HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
MODERATE,HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
HIGH
P2
HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P3
MODERATE,HIGH
P3
MODERATE,HIGH
P3
MODERATE,HIGH
P3
HIGH
P3
HIGH
P3
HIGH
P3
HIGH
P3
HIGH
P3
HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
MODERATE,HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
HIGH
P3
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P2
LOW,MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P3
HIGH
P3
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P0
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P3
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P0
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P2
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P2
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P0
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
LOW,MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P1
HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P1
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
MODERATE,HIGH
P2
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P0
LOW,MODERATE,HIGH
P1
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
P0
MODERATE,HIGH
DESCRIPTION
The organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
An access control policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination
among
organizational
and compliance;
and
Procedures
to facilitateentities,
the implementation
of the
access
control policy and associated access controls; and
Reviews and updates the current:
Access control policy [Assignment: organization-defined
frequency]; and
Access control procedures [Assignment: organization-defined
frequency].
The organization:
Identifies and selects the following types of information system
accounts to support organizational missions/business functions:
[Assignment:
organization-defined
information
system
account
Assigns account
managers for information
system
accounts;
types];
Establishes conditions for group and role membership;
Specifies authorized users of the information system, group
and role membership, and access authorizations (i.e.,
privileges)
and other
(as required)
for each account;
Requires approvals
byattributes
[Assignment:
personnel or roles] for requests to create information system
accounts;
Creates, enables, modifies, disables, and removes information
system accounts in accordance with [Assignment: organizationdefined
or conditions];
Monitorsprocedures
the use of information
system accounts;
Notifies account managers:
When accounts are no longer required;
When users are terminated or transferred; and
When individual information system usage or need-to-know
changes;
Authorizes access to the information system based on:
A valid access authorization;
Intended system usage; and

Other attributes as required by the organization or associated
missions/business functions;
Reviews accounts for compliance with account management
requirements [Assignment: organization-defined frequency];
and
Establishes a process for reissuing shared/group account
credentials (if deployed) when individuals are removed from
the
The group.
organization employs automated mechanisms to support
the management of information system accounts.
The information system automatically [Selection: removes;
disables] temporary and emergency accounts after
[Assignment:
time
period for
each type of
The information
system automatically
disables
inactive
account].
accounts after [Assignment: organization-defined time period].
The information system automatically audits account creation,
modification, enabling, disabling, and removal actions, and
notifies
[Assignment:
or roles].
The organization
requires
that users log outpersonnel
when [Assignment:
organization-defined time-period of expected inactivity or
description
of when
to log
out].
The information
system
implements
the following dynamic
privilege management capabilities: [Assignment: organizationdefined
list of dynamic privilege management capabilities].
The organization:
Establishes and administers privileged user accounts in
accordance with a role-based access scheme that organizes
allowed
system
access and
privileges into roles;
Monitorsinformation
privileged role
assignments;
and
Takes [Assignment: organization-defined actions] when
privileged role assignments are no longer appropriate.
The information system creates [Assignment: organizationdefined information system accounts] dynamically.
The organization only permits the use of shared/group accounts
that meet [Assignment: organization-defined conditions for
establishing
shared/group
accounts].
The information
system terminates
shared/group account
credentials when members leave the group.
The information system enforces [Assignment: organizationdefined circumstances and/or usage conditions] for
[Assignment:
organization-defined information system
The organization:
accounts].
Monitors information system accounts for [Assignment:
organization-defined atypical usage]; and
Reports atypical usage of information system accounts to
[Assignment: organization-defined personnel or roles].
The organization disables accounts of users posing a significant
risk within [Assignment: organization-defined time period] of
discovery of the risk.
The information system enforces approved authorizations for

logical access to information
and system resources in
accordance
with
applicable
access
control
policies.
[Withdrawn: Incorporated into AC-6].
The information system enforces dual authorization for
[Assignment: organization-defined privileged commands and/or
other
actions].
The information
system enforces
[Assignment: organizationdefined mandatory access control policy] over all subjects and
objects
where
the policy:
Is uniformly
enforced
across all subjects and objects within the
boundary of the information system;
Specifies that a subject that has been granted access to
information is constrained from doing any of the following;
Passing the information to unauthorized subjects or objects;
Granting its privileges to other subjects;
Changing one or more security attributes on subjects, objects,
the information system, or information system components;
Choosing the security attributes and attribute values to be
associated with newly created or modified objects; or
Changing the rules governing access control; and
Specifies that [Assignment: organization-defined subjects] may
explicitly be granted [Assignment: organization-defined
privileges
(i.e., they
are enforces
trusted subjects)]
suchorganizationthat they are
The information
system
[Assignment:
not
limited
by
some
or
all
of
the
above
constraints.
defined discretionary access control policy] over defined
subjects
objects where
policy
specifies
that a subject
Pass the and
information
to anythe
other
subjects
or objects;
that has been granted access to information can do one or
more of the following:
Grant its privileges to other subjects;
Change security attributes on subjects, objects, the information
system, or the information systems components;
Choose the security attributes to be associated with newly
created or revised objects; or
Change the rules governing access control.
The information system prevents access to [Assignment:
organization-defined security-relevant information] except
during
secure,
non-operable
system
states.
[Withdrawn:
Incorporated
into
MP-4 and
SC-28].
The information system enforces a role-based access control
policy over defined subjects and objects and controls access
based
upon [Assignment:
and users
The information
system enforces
the revocationroles
of access
authorized
to
assume
such
roles].
authorizations resulting from changes to the security attributes
of subjects and objects based on [Assignment: organizationdefined rules governing the timing of revocations of access
authorizations].
The information system does not release information outside of

the established system boundary unless:
The receiving [Assignment: organization-defined information
system or system component] provides [Assignment:
security safeguards];
[Assignment: organization-defined
securityand
safeguards] are
used to validate the appropriateness of the information
designated
for release.
The organization
employs an audited override of automated
access control mechanisms under [Assignment: organizationdefined
conditions].
The information
system enforces approved authorizations for
controlling the flow of information within the system and
between
interconnected
systems
based on organization[Assignment:
The information
system uses
[Assignment:
information
flow
control
policies].
defined security attributes] associated with [Assignment:
information,
source,
and destination
The information system
uses protected
processing
domains to
objects]
to
enforce
[Assignment:
enforce [Assignment: organization-defined information flow
information
flow as
control
policies]
ascontrol
a basis for flow control
control
policies]
a basis
for flow
The
information
system
enforces
dynamic decisions.
information flow
decisions.
control based on [Assignment: organization-defined policies].
The information system prevents encrypted information from
bypassing content-checking mechanisms by [Selection (one or
more):
decrypting
the information;
blocking theorganizationflow of the
The information
system
enforces [Assignment:
encrypted
information;
terminating
communications
defined limitations] on embedding data types within sessions
other data
attempting
to pass encrypted information; [Assignment:
types.
The
information system
enforcesorinformation
procedure
method]]. flow control based
on [Assignment: organization-defined metadata].
The information system enforces [Assignment: organizationdefined one-way information flows] using hardware
mechanisms.
The information system enforces information flow control using
[Assignment: organization-defined security policy filters] as a
basis
for flow control
decisions
forthe
[Assignment:
organizationThe information
system
enforces
use of human
reviews for
defined
information
flows].
[Assignment: organization-defined information flows] under the
following
conditions:
[Assignment:
The information
system
provides the
capability for privileged
conditions].
administrators to enable/disable [Assignment: organizationdefined
security system
policy filters]
under
following
The information
provides
thethe
capability
forconditions:
privileged
[Assignment:
conditions].
administrators to configure [Assignment: organization-defined
security
policy filters]
to support
different security
policies.
The information
system,
when transferring
information
between different security domains, uses [Assignment:
datawhen
type transferring
identifiers] to
validate data
The information system,
information
essential
for
information
flow
decisions.
between different security domains, decomposes information
into
[Assignment:
policy-relevant
The information
system,
when transferring
information
subcomponents]
for
submission
to
policy
enforcement
between different security domains, implements
[Assignment:
mechanisms.
security
policy
filters]
requiring
fully
The information system, when transferring information
enumerated
formats
that
restrict
data
structure
and
content.
between different security domains, examines the information
for
the presence
of [Assignment:
organized-defined
[Withdrawn:
Incorporated
into AC-4].
unsanctioned information] and prohibits the transfer of such
information in accordance with the [Assignment: organizationThe
information
defined
security system
policy]. uniquely identifies and authenticates
source and destination points by [Selection (one or more):
organization, system, application, individual] for information
transfer.
The information system binds security attributes to information

using [Assignment: organization-defined binding techniques] to
facilitate
information
flowwhen
policy
enforcement.
The information
system,
transferring
information
between different security domains, applies the same security
policy
filtering to employs
metadata[Assignment:
as it applies organization-defined
to data payloads.
The organization
solutions in approved configurations] to control the flow of
[Assignment:
information]flows
across
security
The information
system separates information
logically
or
domains.
physically using [Assignment: organization-defined
mechanisms
and/or
techniques]
accomplish
The information
system
providesto
access
from a[Assignment:
single device to
required
separations
types on
of multiple
computing platforms, applications, or databy
residing
information].
different
security domains, while preventing any information
The organization:
flow between the different security domains.
Separates [Assignment: organization-defined duties of
individuals];
Documents separation of duties of individuals; and
Defines information system access authorizations to support
separation of duties.
The organization employs the principle of least privilege,
allowing only authorized accesses for users (or processes
acting
on behalf of
users) which
are necessary
accomplish
The organization
explicitly
authorizes
access toto
[Assignment:
assigned
tasks
in
accordance
with
organizational
missions
and
organization-defined security functions (deployed in hardware,
business
functions.
software,
and firmware)
and
security-relevant
information].
The organization
requires
that
users of information
system
accounts, or roles, with access to [Assignment: organizationdefined
security functions
ornetwork
security-relevant
The organization
authorizes
access to information],
[Assignment:use
non-privileged
accounts
or
roles,
when
accessing
nonsecurity
organization-defined privileged commands] only for
functions.
[Assignment:
compelling
operational
The information
system provides separate
processing
domains
needs]
and
documents
the
rationale
for
such
access
in
the
to enable finer-grained allocation of user privileges.
security plan for the information system.
The organization restricts privileged accounts on the
information system to [Assignment: organization-defined
personnel
or roles].
The organization
prohibits privileged access to the information
system by non-organizational users.
The organization:
Reviews [Assignment: organization-defined frequency] the
privileges assigned to [Assignment: organization-defined roles
or
classes of
to privileges,
validate theif need
for such
Reassigns
or users]
removes
necessary,
to privileges;
correctly
and
reflect organizational mission/business needs.
The information system prevents [Assignment: organizationdefined software] from executing at higher privilege levels than
users
executing the
software.
The information
system
audits the execution of privileged
functions.
The information system prevents non-privileged users from
executing privileged functions to include disabling,
circumventing, or altering implemented security
safeguards/countermeasures.
The information system:

Enforces a limit of [Assignment: organization-defined number]
consecutive invalid logon attempts by a user during a
[Assignment:
period]; and
Automatically organization-defined
[Selection: locks the time
account/node
for an
[Assignment: organization-defined time period]; locks the
account/node
until released
byAC-7].
an administrator; delays next
[Withdrawn: Incorporated
into
logon prompt according to [Assignment: organization-defined
delay algorithm]] when the maximum number of unsuccessful
The
information
system purges/wipes information from
attempts
is exceeded.
[Assignment: organization-defined mobile devices] based on
[Assignment:
purging/wiping
The information
system:
requirements/techniques] after [Assignment: organizationdefined number] consecutive, unsuccessful device logon
Displays
attempts.to users [Assignment: organization-defined system
use notification message or banner] before granting access to
the
system
that provides
and security
notices
Users
are accessing
a U.S.privacy
Government
information
system;
consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance and
Information
states that: system usage may be monitored, recorded, and
subject to audit;
Unauthorized use of the information system is prohibited and
subject to criminal and civil penalties; and
Use of the information system indicates consent to monitoring
and recording;
Retains the notification message or banner on the screen until
users acknowledge the usage conditions and take explicit
actions
to log
on to or further
access the information system;
For publicly
accessible
systems:
and
Displays system use information [Assignment: organizationdefined conditions], before granting further access;
Displays references, if any, to monitoring, recording, or
auditing that are consistent with privacy accommodations for
such
systems
that generally
those
activities;
and
Includes
a description
of the prohibit
authorized
uses
of the system.
The information system notifies the user, upon successful logon
(access) to the system, of the date and time of the last logon
(access).
The information system notifies the user, upon successful
logon/access, of the number of unsuccessful logon/access
attempts
since the
last successful
logon/access.
The information
system
notifies the
user of the number of
[Selection: successful logons/accesses; unsuccessful
logon/access
attempts;
during
[Assignment:
organizationThe information
system both]
notifies
the user
of changes
to
defined
time
period].
[Assignment: organization-defined security-related
characteristics/parameters
of thethe
users
account]
duringlogon
The information system notifies
user, upon
successful
[Assignment:
time
period].
(access), of the following additional information: [Assignment:
information
be included
in addition to
limits theto
number
of concurrent
the
date
and
time
of
the
last
logon
(access)].
sessions for each [Assignment: organization-defined account
and/or account type] to [Assignment: organization-defined
number].

Prevents further access to the system by initiating a session
lock after [Assignment: organization-defined time period] of
inactivity
or session
upon receiving
a the
request
a user; and
Retains the
lock until
userfrom
reestablishes
access
using established identification and authentication procedures.
The information system conceals, via the session lock,
information previously visible on the display with a publicly
viewable
image. system automatically terminates a user
The information
session after [Assignment: organization-defined conditions or
trigger
events requiring
The information
system:session disconnect].
Provides a logout capability for user-initiated communications
sessions whenever authentication is used to gain access to
[Assignment:
resources];
Displays an explicit
logout messageinformation
to users indicating
the and
reliable termination of authenticated communications sessions.
[Withdrawn: Incorporated into AC-2 and AU-6].
The organization:
Identifies [Assignment: organization-defined user actions] that
can be performed on the information system without
identification
or authentication
consistent
withinorganizational
Documents and
provides supporting
rationale
the security
missions/business
functions;
and
plan for the information system, user actions not requiring
identification
or authentication.
into AC-14].
[Withdrawn: Incorporated into MP-3].
The organization:
Provides the means to associate [Assignment: organizationdefined types of security attributes] having [Assignment:
security
attribute
values] with
information
Ensures that the security
attribute
associations
are made
and
in
storage,
in
process,
and/or
in
transmission;
retained with the information;
Establishes the permitted [Assignment: organization-defined
security attributes] for [Assignment: organization-defined
information
and [Assignment: organization-defined
Determines systems];
the permitted
values or ranges] for each of the established security
attributes.
The information system dynamically associates security
attributes with [Assignment: organization-defined subjects and
objects]
in accordance
[Assignment:
The information
systemwith
provides
authorized
individuals (or
security
policies]
as
information
is
created
andcapability
combined.
processes acting on behalf of individuals) the
to
define
or changesystem
the value
of associated
security attributes.
The information
maintains
the association
and integrity
of [Assignment: organization-defined security attributes] to
[Assignment: organization-defined subjects and objects].
The information system supports the association of

[Assignment: organization-defined security attributes] with
[Assignment:
subjects
and objects]
by
The information
system displays security
attributes
in humanauthorized
individuals
processes
acting
on transmits
behalf of to
readable form
on each (or
object
that the
system
individuals).
output
devices toallows
identify
[Assignment:
organization-identified
The organization
personnel
to associate,
and maintain
special
dissemination,
handling,
or
distribution
instructions]
the association of [Assignment: organization-defined
security
using
[Assignment:
organization-identified
human-readable,
attributes]
with
[Assignment:
subjects
and
The
organization
provides
a consistent interpretation of
standard
naming
conventions].
objects]
accordance
with [Assignment:
security in
attributes
transmitted
between distributed
information
security
policies].
system
components.
The information system implements [Assignment: organizationdefined techniques or technologies] with [Assignment:
levelthat
of assurance]
in associating
security
The organization ensures
security attributes
associated
attributes
to
information.
with information are reassigned only via re-grading
mechanisms
validated
[Assignment:
The information
systemusing
provides
authorized
individuals the
techniques
or
procedures].
capability to define or change the type and value of security
attributes
available for association with subjects and objects.
The organization:
Establishes and documents usage restrictions,
configuration/connection requirements, and implementation
guidance
each type
of remote
access allowed;
and
Authorizesfor
remote
access
to the information
system
prior to
allowing such connections.
The information system monitors and controls remote access
methods.
The information system implements cryptographic mechanisms
to protect the confidentiality and integrity of remote access
sessions.
The information system routes all remote accesses through
[Assignment: organization-defined number] managed network
access
control points.
The organization:
Authorizes the execution of privileged commands and access to
security-relevant information via remote access only for
[Assignment:
needs];
Documents the
rationale for such access
inand
the security plan
for the information system.
[Withdrawn: Incorporated into SI-4].
The organization ensures that users protect information about
remote access mechanisms from unauthorized use and
disclosure.
[Withdrawn: Incorporated into AC-3 (10)].
[Withdrawn: Incorporated into CM-7].
The organization provides the capability to expeditiously
disconnect or disable remote access to the information system
within
[Assignment: organization-defined time period].
The organization:
Establishes usage restrictions, configuration/connection

requirements, and implementation guidance for wireless
access;
andwireless access to the information system prior to
Authorizes
allowing such connections.
The information system protects wireless access to the system
using authentication of [Selection (one or more): users;
devices]
andIncorporated
encryption. into SI-4].
[Withdrawn:
The organization disables, when not intended for use, wireless
networking capabilities internally embedded within information
system
components
prior toand
issuance
andauthorizes
deployment.
The organization
identifies
explicitly
users
allowed to independently configure wireless networking
capabilities.
The organization selects radio antennas and calibrates
transmission power levels to reduce the probability that usable
signals
can be received outside of organization-controlled
The organization:
boundaries.
Establishes usage restrictions, configuration requirements,
connection requirements, and implementation guidance for
organization-controlled
mobile
devices;
and to organizational
Authorizes the connection
of mobile
devices
information systems.
The organization:
Prohibits the use of unclassified mobile devices in facilities
containing information systems processing, storing, or
transmitting
information on
unless
specifically
permitted
Enforces the classified
following restrictions
individuals
permitted
by
by
the
authorizing
official;
and
the authorizing official to use unclassified mobile devices in
facilities
containing
information
systems
storing, or
Connection
of unclassified
mobile
devicesprocessing,
to classified
transmitting
classified
information:
information systems is prohibited;
Connection of unclassified mobile devices to unclassified
information systems requires approval from the authorizing
official;
Use of internal or external modems or wireless interfaces within
the unclassified mobile devices is prohibited; and
Unclassified mobile devices and the information stored on
those devices are subject to random reviews and inspections
by
[Assignment:
security
officials],
Restricts
the connection
of classified mobile
devices
to and if
classified
information
is
found,
the
incident
handling
policy is
classified information systems in accordance with [Assignment:
followed.
security
policies].
The organization employs
[Selection:
full-device encryption;
container encryption] to protect the confidentiality and
integrity of information on [Assignment: organization-defined
mobile devices].
The organization establishes terms and conditions, consistent

with any trust relationships established with other
organizations
owning, operating,
and/or
maintaining
external
Access the information
system from
external
information
information
systems, allowing authorized individuals to:
systems; and
Process, store, or transmit organization-controlled information
using external information systems.
The organization permits authorized individuals to use an
external information system to access the information system
or
to process,
store, or transmit
Verifies
the implementation
of required
security controls on the
information
only
when
the
organization:
external system as specified in the organizations
information
security
policy andsystem
security
plan; or or processing
Retains approved
information
connection
agreements with the organizational entity hosting the external
information
system.
The organization
[Selection: restricts; prohibits] the use of
organization-controlled portable storage devices by authorized
individuals
on external
information
systems.
The organization
[Selection:
restricts;
prohibits] the use of nonorganizationally owned information systems, system
components,
or devices
to the
process,
or transmit
The organization
prohibits
use ofstore,
[Assignment:
organizational
information.
organization-defined network accessible storage devices] in
external
The organization:
Facilitates information sharing by enabling authorized users to
determine whether access authorizations assigned to the
sharing
match organization-defined
the access restrictions
on the
Employspartner
[Assignment:
automated
information
for
[Assignment:
information
mechanisms or manual processes] to assist users in
making
sharing
circumstances
where userdecisions.
discretion is required]; and
information
sharing/collaboration
The information system enforces information-sharing decisions
by authorized users based on access authorizations of sharing
partners
and access
restrictions
on information
be shared.
The information
system
implements
informationtosearch
and
retrieval services that enforce [Assignment: organizationdefined
information sharing restrictions].
The organization:
Designates individuals authorized to post information onto a
publicly accessible information system;
Trains authorized individuals to ensure that publicly accessible
information does not contain nonpublic information;
Reviews the proposed content of information prior to posting
onto the publicly accessible information system to ensure that
nonpublic
information
notpublicly
included;
and
Reviews the
content onisthe
accessible
information
system for nonpublic information [Assignment: organizationdefined
frequency]
and removes
such information,
if
The organization
employs
[Assignment:
discovered.
data mining prevention and detection techniques] for
[Assignment:
data storage
objects] to
The organization
establishes procedures
to ensure
adequately
detect
and
protect
against
data
mining.
[Assignment: organization-defined access control decisions] are
applied
to each access
prior
to access enforcement.
The information
systemrequest
transmits
[Assignment:
organizationdefined access authorization information] using [Assignment:
organization-defined security safeguards] to [Assignment:
organization-defined information systems] that enforce access
control decisions.
The information system enforces access control decisions

based on [Assignment: organization-defined security attributes]
that
do not include
the identity
of thea user
or process
acting
The information
system
implements
reference
monitor
for on
behalf
of the user.
[Assignment:
organization-defined access control policies] that
is
tamperproof,
always invoked, and small enough to be subject
The
organization:
to analysis and testing, the completeness of which can be
assured.
A security awareness and training policy that addresses
purpose, scope, roles, responsibilities, management
commitment,
organizational
Procedures to coordination
facilitate the among
implementation
of theentities,
securityand
compliance;
and
awareness and training policy and associated security
awareness
and
training
controls;
Reviews and
updates
the
current:and
Security awareness and training policy [Assignment:
organization-defined frequency]; and
Security awareness and training procedures [Assignment:
organization-defined frequency].
The organization provides basic security awareness training to
information system users (including managers, senior
executives,
and contractors):
As part of initial
training for new users;
When required by information system changes; and
[Assignment: organization-defined frequency] thereafter.
The organization includes practical exercises in security
awareness training that simulate actual cyber attacks.
The organization includes security awareness training on
recognizing and reporting potential indicators of insider threat.
The organization provides role-based security training to
personnel with assigned security roles and responsibilities:
Before authorizing access to the information system or
performing assigned duties;
The organization provides [Assignment: organization-defined
personnel or roles] with initial and [Assignment: organizationdefined
frequency]
training[Assignment:
in the employment
and operation
The organization
provides
of
environmental
controls.
personnel or roles] with initial and [Assignment: organizationdefined
frequency]
training
in the employment
operation
The organization
includes
practical
exercises in and
security
of
physical
security
controls.
training that reinforce training objectives.
The organization provides training to its personnel on

[Assignment: organization-defined indicators of malicious code]
to
recognize
suspicious communications and anomalous
The
organization:
behavior in organizational information systems.
Documents and monitors individual information system
security training activities including basic security awareness
training
and specific
information
system
security training; and
Retains individual
training
records
for [Assignment:
organization-defined time period].
[Withdrawn: Incorporated into PM-15].
The organization:
An audit and accountability policy that addresses purpose,
scope, roles, responsibilities, management commitment,
coordination
organizational
entities, of
and
compliance;
Procedures toamong
facilitate
the implementation
the
audit and
and
accountability policy and associated audit and accountability
controls;
and updates the current:
Reviews and
Audit and accountability policy [Assignment: organizationdefined frequency]; and
Audit and accountability procedures [Assignment: organizationdefined frequency].
The organization:
Determines that the information system is capable of auditing
the following events: [Assignment: organization-defined
auditable
events];
Coordinates
the security audit function with other
organizational entities requiring audit-related information to
enhance
mutual
support
andthe
to help
guideevents
the selection
of
Provides a
rationale
for why
auditable
are deemed
auditable
events;
to be adequate to support after-the-fact investigations of
security
incidents;
and
Determines
that the
following events are to be audited within
the information system: [Assignment: organization-defined
audited
events
(the subsetinto
of the
auditable events defined in
[Withdrawn:
Incorporated
AU-12].
AU-2 a.) along with the frequency of (or situation requiring)
auditing for each identified event].
[Withdrawn: Incorporated into AU-12].
The organization reviews and updates the audited events
[Assignment: organization-defined frequency].
The information system generates audit records containing
information that establishes what type of event occurred, when
the event occurred, where the event occurred, the source of
the event, the outcome of the event, and the identity of any
individuals or subjects associated with the event.
The information system generates audit records containing the

following additional information: [Assignment: organizationdefined
additional,
moreprovides
detailed centralized
information].
The information
system
management and
configuration of the content to be captured in audit records
generated
by [Assignment:
information
The organization
allocates audit
record storage capacity
in
system
components].
accordance with [Assignment: organization-defined audit
record
storage requirements].
The information
system off-loads audit records [Assignment:
organization-defined frequency] onto a different system or
media
than the system
The information
system:being audited.
Alerts [Assignment: organization-defined personnel or roles] in
the event of an audit processing failure; and
Takes the following additional actions: [Assignment:
organization-defined actions to be taken (e.g., shut down
information
system,
overwrite
oldest
audit records,
stop
The information
system
provides
a warning
to [Assignment:
generating
audit
records)].
organization-defined personnel, roles, and/or locations] within
[Assignment:
when allocated
The information
system provides antime
alertperiod]
in [Assignment:
audit
record
storage
volume
reaches
[Assignment:
organization-defined real-time period] to [Assignment:
percentage]
of repository
maximum audit
personnel,
and/or locations]
The
information
system
enforcesroles,
configurable
network when
record
storage
capacity.
the
following audit
failure
events
occur: [Assignment:
communications
traffic
volume
thresholds
reflecting limits on
audit
failure rejects;
events requiring
real-time
auditing
capacity
and
[Selection:
delays]
network
traffic
The
information system invokes a [Selection: full system
alerts].
above
those
thresholds.
shutdown; partial system shutdown; degraded operational
mode
with limited mission/business functionality available] in
The organization:
the event of [Assignment: organization-defined audit failures],
unless an alternate audit capability exists.
Reviews and analyzes information system audit records
[Assignment: organization-defined frequency] for indications of
[Assignment:
inappropriate or unusual
Reports findings
to [Assignment: organization-defined
activity];
and
personnel or roles].
The organization employs automated mechanisms to integrate
audit review, analysis, and reporting processes to support
organizational
processes for
investigation
and response to
into
SI-4].
suspicious activities.
The organization analyzes and correlates audit records across
different repositories to gain organization-wide situational
awareness.
The information system provides the capability to centrally
review and analyze audit records from multiple components
within
the system.
The organization
integrates analysis of audit records with
analysis of [Selection (one or more): vulnerability scanning
information;
performance
data;
information
monitoring
The organization
correlates
information
fromsystem
audit records
with
information;
[Assignment:
information obtained from monitoring physical access to
data/information
collected
from
other sources]]
toinappropriate,
further
further
enhance the
abilitythe
to identify
suspicious,
The
organization
specifies
permitted
actions
for each
enhance
the
ability
to
identify
inappropriate
or
unusual
activity.
unusual,
malevolent
activity.
[Selectionor(one
or more):
information system process; role;
user]
associated with
the review,
analysis,
andofreporting
The organization
performs
a full text
analysis
audited of
audit
information.
privileged commands in a physically distinct component or
subsystem of the information system, or other information
system that is dedicated to that analysis.
The organization correlates information from nontechnical

sources with audit information to enhance organization-wide
situational
awareness.
The organization
adjusts the level of audit review, analysis, and
reporting within the information system when there is a change
in
risk
based on law
enforcement
information,
intelligence
The
information
system
provides an
audit reduction
and report
information,
or
other
credible
sources
of
information.
generation capability that:
Supports on-demand audit review, analysis, and reporting
requirements and after-the-fact investigations of security
incidents;
and the original content or time ordering of audit
Does not alter
records.
The information system provides the capability to process audit
records for events of interest based on [Assignment:
audit
fields within
audit records].
provides
the capability
to sort and
search audit records for events of interest based on the content
of
[Assignment:
audit fields within audit
The
information organization-defined
system:
records].
Uses internal system clocks to generate time stamps for audit
records; and
Records time stamps for audit records that can be mapped to
Coordinated Universal Time (UTC) or Greenwich Mean Time
(GMT)
and meetssystem:
[Assignment: organization-defined granularity
The information
of time measurement].
Compares the internal information system clocks [Assignment:
organization-defined frequency] with [Assignment:
authoritative
time source];
and
Synchronizes the internal
system clocks
to the authoritative
time source when the time difference is greater than
[Assignment:
period].
The information
system identifies atime
secondary
authoritative
time source that is located in a different geographic region
than
the primarysystem
authoritative
time
source.
The information
protects
audit
information and audit
tools from unauthorized access, modification, and deletion.
The information system writes audit trails to hardwareenforced, write-once media.
The information system backs up audit records [Assignment:
organization-defined frequency] onto a physically different
system
or system
component
than the
system or component
The information
system
implements
cryptographic
mechanisms
being
audited.
to protect the integrity of audit information and audit tools.
The organization authorizes access to management of audit
functionality to only [Assignment: organization-defined subset
of
privileged
users].
The
organization
enforces dual authorization for [Selection (one
or more): movement; deletion] of [Assignment: organizationdefined
audit information].
The organization
authorizes read-only access to audit
information to [Assignment: organization-defined subset of
privileged
users].system protects against an individual (or
The information
process acting on behalf of an individual) falsely denying
having performed [Assignment: organization-defined actions to
be covered by non-repudiation].

Binds the identity of the information producer with the
information to [Assignment: organization-defined strength of
binding];
andmeans for authorized individuals to determine the
Provides the
identity of the producer of the information.
Validates the binding of the information producer identity to
the information at [Assignment: organization-defined
frequency];
and
Performs [Assignment:
organization-defined actions] in the
event of a validation error.
The information system maintains reviewer/releaser identity
and credentials within the established chain of custody for all
information
reviewed
or released.
The information
system:
Validates the binding of the information reviewer identity to the
information at the transfer or release points prior to
release/transfer
between
[Assignment: organization-defined
Performs [Assignment:
actions] in the
security
domains];
and
event of a validation error.
The organization retains audit records for [Assignment:
organization-defined time period consistent with records
retention
policy] to
provide[Assignment:
support for after-the-fact
The organization
employs
investigations
of
security
incidents
to records
meet regulatory
and
measures] to ensure that long-termand
audit
generated
by
organizational
information
retention
requirements.
the
information
system
can
be
retrieved.
Provides audit record generation capability for the auditable
events defined in AU-2 a. at [Assignment: organization-defined
information
system components];
Allows [Assignment:
organization-defined personnel or roles] to
select which auditable events are to be audited by specific
components
of the
information
and
Generates audit
records
for the system;
events defined
in AU-2 d. with
the content defined in AU-3.
The information system compiles audit records from
[Assignment: organization-defined information system
components]
into
a system-wide
or physical)
audit
The information
system
produces(logical
a system-wide
(logical
ortrail
that
is
time-correlated
to
within
[Assignment:
organizationphysical) audit trail composed of audit records in a
defined
level of
tolerance for the relationship between time
standardized
format.
The
information
system
provides
the
capability
stamps
of individual
records
in the
audit
trail]. for
[Assignment: organization-defined individuals or roles] to
change
the auditing
to be performed
on [Assignment:
The organization
monitors
[Assignment:
information
system
components]
based
open source information and/or information
sites] [Assignment:
on
[Assignment:
selectable
event
criteria]
frequency]
for evidence
of unauthorized
The
organization
employs
automated
mechanisms
to
within
[Assignment:
time
thresholds].
disclosure
organizational information
information.has been disclosed in
determine of
if organizational
an unauthorized manner.
The organization reviews the open source information sites

being monitored [Assignment: organization-defined frequency].
The information system provides the capability for authorized
users to select a user session to capture/record or view/hear.
The information system initiates session audits at system startup.
users to capture/record and log content related to a user
session.
users to remotely view/hear all content related to an
established
user session
real
time. audit capability in the
The organization
providesinan
alternate
event of a failure in primary audit capability that provides
[Assignment:
alternate
audit
The organization
employs [Assignment:
functionality].
methods] for coordinating [Assignment: organization-defined
audit
information]requires
among that
external
organizations
when audit
The organization
the identity
of individuals
be
information
is
transmitted
across
organizational
boundaries.
preserved in cross-organizational audit trails.
The organization provides cross-organizational audit
information to [Assignment: organization-defined
organizations]
based on [Assignment: organization-defined
The organization:
cross-organizational sharing agreements].
A security assessment and authorization policy that addresses
commitment,
organizational
implementation
of theentities,
securityand
compliance;
and
assessment and authorization policy and associated security
assessment
authorization
controls; and
Reviews andand
updates
the current:
Security assessment and authorization policy [Assignment:
Security assessment and authorization procedures
The organization:
Develops a security assessment plan that describes the scope
of the assessment including:
Security controls and control enhancements under assessment;
Assessment procedures to be used to determine security
control effectiveness; and
Assessment environment, assessment team, and assessment
roles and responsibilities;
Assesses the security controls in the information system and its
environment of operation [Assignment: organization-defined
frequency] to determine the extent to which the controls are
implemented correctly, operating as intended, and producing
the desired outcome with respect to meeting established
security requirements;
Produces a security assessment report that documents the

results of the assessment; and
Provides the results of the security control assessment to
[Assignment: organization-defined individuals or roles].
The organization employs assessors or assessment teams with
[Assignment: organization-defined level of independence] to
conduct
security control
The organization
includesassessments.
as part of security control
assessments, [Assignment: organization-defined frequency],
[Selection:
announced;
unannounced],
(one of
or
The organization
accepts
the results of [Selection
an assessment
more):
in-depth
monitoring;
vulnerability
scanning;
malicious
[Assignment: organization-defined information system]
user
testing;
threat assessment;
performance/load
performed
byinsider
[Assignment:
external
The
organization:
testing;
[Assignment:
other forms of
organization] when the assessment meets [Assignment:
security
assessment]].
requirements].
Authorizes connections from the information system to other
information systems through the use of Interconnection
Security
Agreements;
Documents,
for each interconnection, the interface
characteristics, security requirements, and the nature of the
information
and
Reviews andcommunicated;
updates Interconnection
Security Agreements
The organization prohibits the direct connection of an
[Assignment: organization-defined unclassified, national
security
system] to
an external
network
without of
thea use
of
The organization
prohibits
the direct
connection
classified,
[Assignment:
boundary
protection
national security system to an external network without the
device].
use
[Assignment:
boundary
protection
The of
organization
prohibits
the direct connection
of an
device].
[Assignment: organization-defined unclassified, non-national
security
system] to
an external
network
without of
thean
use of
The organization
prohibits
the direct
connection
[Assignment;
boundary
protection
[Assignment: organization-defined information system] to a
device].
public
network. employs [Selection: allow-all, deny-byThe organization
exception; deny-all, permit-by-exception] policy for allowing
[Assignment:
information systems] to
into CA-2].
connect to external information systems.
The organization:
Develops a plan of action and milestones for the information
system to document the organizations planned remedial
actions
correctplan
weaknesses
deficiencies
noted
during the
Updatestoexisting
of actionor
and
milestones
[Assignment:
assessment
of
the
security
controls
and
to
reduce
or
eliminate
organization-defined frequency] based on the findings
from
known
vulnerabilities
in the system;
andimpact analyses, and
security
controls
assessments,
security
The organization employs automated mechanisms to help
continuous
ensure that monitoring
the plan of activities.
action and milestones for the
information
system
is
accurate,
up to date, and readily
The organization:
available.
Assigns a senior-level executive or manager as the authorizing
official for the information system;
Ensures that the authorizing official authorizes the information
system for processing before commencing operations; and
Updates the security authorization [Assignment: organizationdefined frequency].

The organization develops a continuous monitoring strategy
and implements a continuous monitoring program that
includes:
Establishment of [Assignment: organization-defined metrics] to
be monitored;
Establishment of [Assignment: organization-defined
frequencies] for monitoring and [Assignment: organizationdefined
for assessments
suchwith the
Ongoingfrequencies]
security control
assessmentssupporting
in accordance
monitoring;
organizational continuous monitoring strategy;
Ongoing security status monitoring of organization-defined
metrics in accordance with the organizational continuous
monitoring
Correlation strategy;
and analysis of security-related information
generated by assessments and monitoring;
Response actions to address results of the analysis of securityrelated information; and
Reporting the security status of organization and the
information system to [Assignment: organization-defined
personnel
or roles]
[Assignment:
The organization
employs
assessors
or assessment teams with
frequency].
[Assignment: organization-defined level of independence] to
monitor
the security
controls
the information system on an
[Withdrawn:
Incorporated
intoinCA-2].
ongoing basis.
The organization employs trend analyses to determine if
security control implementations, the frequency of continuous
monitoring
activities,
and/or
the types of
activities
used in the
The organization
conducts
penetration
testing
[Assignment:
continuous
monitoring
process
need
to
be
modified
based on
organization-defined frequency] on [Assignment: organizationempirical
data.
defined
information
systems
system components].
The organization
employs
an or
independent
penetration agent or
penetration team to perform penetration testing on the
information
system
or system
components.
The organization
employs
[Assignment:
red team exercises] to simulate attempts by adversaries to
compromise
organizational information systems in accordance
The organization:
with [Assignment: organization-defined rules of engagement].
Authorizes internal connections of [Assignment: organizationdefined information system components or classes of
components]
to each
the information
system; and
Documents, for
internal connection,
the interface
characteristics, security requirements, and the nature of the
information
communicated.
The information
system performs security compliance checks
on constituent system components prior to the establishment
of
the
internal connection.
The
organization:
A configuration management policy that addresses purpose,
scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance;
and
Procedures to facilitate the implementation of the configuration

management policy and associated configuration management
controls;
Reviews and
Configuration management policy [Assignment: organizationdefined frequency]; and
Configuration management procedures [Assignment:
The organization develops, documents, and maintains under
configuration control, a current baseline configuration of the
information
system.
The organization
reviews and updates the baseline
configuration of the information system:
[Assignment: organization-defined frequency];
When required due to [Assignment organization-defined
circumstances]; and
As an integral part of information system component
installations and upgrades.
The organization employs automated mechanisms to maintain
an up-to-date, complete, accurate, and readily available
baseline
configuration
of [Assignment:
the information
system.
The organization
retains
previous versions of baseline configurations of the information
system]
to support
rollback.
[Withdrawn:
Incorporated
into CM-7].
The organization maintains a baseline configuration for
information system development and test environments that is
managed
separately from the operational baseline
The organization:
configuration.
Issues [Assignment: organization-defined information systems,
system components, or devices] with [Assignment:
to individuals
to
Applies [Assignment: configurations]
securitytraveling
safeguards]
locations
that
the
organization
deems
to
be
of
significant
risk;
to the devices when the individuals return.
and
The organization:
Determines the types of changes to the information system
that are configuration-controlled;
Reviews proposed configuration-controlled changes to the
information system and approves or disapproves such changes
with
explicitconfiguration
considerationchange
for security
impact
analyses;with the
Documents
decisions
associated
information system;
Implements approved configuration-controlled changes to the
information system;
Retains records of configuration-controlled changes to the

information system for [Assignment: organization-defined time
period];
Audits and reviews activities associated with configurationcontrolled changes to the information system; and
Coordinates and provides oversight for configuration change
control activities through [Assignment: organization-defined
configuration
change
control
element mechanisms
(e.g., committee,
The organization
employs
automated
to: board)]
that convenes [Selection (one or more): [Assignment:
organization-defined frequency]; [Assignment: organizationDocument
proposed changes
the information system;
defined configuration
change to
conditions]].
Notify [Assignment: organized-defined approval authorities] of
proposed changes to the information system and request
change
approval;
Highlight
proposed changes to the information system that
have not been approved or disapproved by [Assignment:
time
period]; system until designated
Prohibit changes to the
information
approvals are received;
Document all changes to the information system; and
Notify [Assignment: organization-defined personnel] when
approved changes to the information system are completed.
The organization tests, validates, and documents changes to
the information system before implementing the changes on
the
The operational
organizationsystem.
employs automated mechanisms to
implement changes to the current information system baseline
and
deploys the updated
across security
the installed base.
The organization
requires baseline
an information
representative to be a member of the [Assignment:
configuration
change
control organizationelement].
implements
[Assignment:
defined security responses] automatically if baseline
configurations
areensures
changed
in an
unauthorized
manner. used
The organization
that
cryptographic
mechanisms
to provide [Assignment: organization-defined security
safeguards]
are under
configuration
management.
The organization
analyzes
changes to
the information system
to determine potential security impacts prior to change
implementation.
The organization analyzes changes to the information system
in a separate test environment before implementation in an
operational
environment,
for security
due to
The organization,
after thelooking
information
systemimpacts
is changed,
flaws,
weaknesses,
incompatibility,
or
intentional
malice.
checks the security functions to verify that the functions are
implemented
correctly,
operating
as intended,
The organization
defines,
documents,
approves,and
andproducing
enforces
the
desired
outcome
with
regard
to
meeting
the
security
physical and logical access restrictions associated
with changes
requirements
for the
system.
to
the
information
system.
The
information
system
enforces access restrictions and
supports auditing of the enforcement actions.
The organization reviews information system changes
[Assignment: organization-defined frequency] and
[Assignment:
circumstances]
The information
system prevents the
installation ofto determine
whether
unauthorized
changes
have
occurred.
[Assignment: organization-defined software and firmware
components] without verification that the component has been
digitally signed using a certificate that is recognized and
approved by the organization.
The organization enforces dual authorization for implementing

changes to [Assignment: organization-defined information
system
components and system-level information].
The organization:
Limits privileges to change information system components
and system-related information within a production or
operational
and
Reviews andenvironment;
reevaluates privileges
[Assignment: organizationdefined frequency].
The organization limits privileges to change software resident
within software libraries.
The organization:
Establishes and documents configuration settings for
information technology products employed within the
information
using [Assignment:
Implements system
the configuration
settings; organization-defined
security configuration checklists] that reflect the most
restrictive mode consistent with operational requirements;
Identifies, documents, and approves any deviations from
established configuration settings for [Assignment:
components]
basedin
Monitors and controlsinformation
changes to system
the configuration
settings
on
[Assignment:
operational
accordance with organizational policies and procedures.
requirements]; and
The organization employs automated mechanisms to centrally
manage, apply, and verify configuration settings for
[Assignment:
information
system
The organization
components].
security safeguards] to respond to unauthorized changes to
[Assignment:
into SI-7].configuration settings].
The organization:
Configures the information system to provide only essential
capabilities; and
Prohibits or restricts the use of the following functions, ports,
protocols, and/or services: [Assignment: organization-defined
prohibited
or restricted functions, ports, protocols, and/or
The organization:
services].
Reviews the information system [Assignment: organizationdefined frequency] to identify unnecessary and/or nonsecure
functions,
ports, protocols,
and services; andfunctions, ports,
Disables [Assignment:
protocols, and services within the information system deemed
to
beinformation
unnecessary
and/or
nonsecure].
The
system
prevents
program execution in
accordance with [Selection (one or more): [Assignment:
organization-defined policies regarding software program
usage and restrictions]; rules authorizing the terms and
conditions of software program usage].
The organization ensures compliance with [Assignment:

organization-defined registration requirements for functions,
ports,
protocols, and services].
The organization:
Identifies [Assignment: organization-defined software programs
not authorized to execute on the information system];
Employs an allow-all, deny-by-exception policy to prohibit the
execution of unauthorized software programs on the
information
Reviews andsystem;
updatesand
the list of unauthorized software
programs [Assignment: organization-defined frequency].
The organization:
Identifies [Assignment: organization-defined software programs
authorized to execute on the information system];
Employs a deny-all, permit-by-exception policy to allow the
execution of authorized software programs on the information
system;
Reviews and
and updates the list of authorized software programs
The organization:
Develops and documents an inventory of information system
components that:
Accurately reflects the current information system;
Includes all components within the authorization boundary of
the information system;
Is at the level of granularity deemed necessary for tracking and
reporting; and
Includes [Assignment: organization-defined information
deemed necessary to achieve effective information system
component
and
Reviews andaccountability];
updates the information
system component
inventory [Assignment: organization-defined frequency].
The organization updates the inventory of information system
components as an integral part of component installations,
removals,
and information
system updates.
The organization
employs automated
mechanisms to help
maintain an up-to-date, complete, accurate, and readily
available
inventory of information system components.
The organization:
Employs automated mechanisms [Assignment: organizationdefined frequency] to detect the presence of unauthorized
hardware,
software,actions
and firmware
components within
the
Takes the following
when unauthorized
components
are
information
system;
and
detected: [Selection (one or more): disables network access by
such
components;includes
isolatesinthe
The organization
thecomponents;
information notifies
system component
[Assignment:
personnel
inventory information, a means for identifyingorbyroles]].
[Selection
(one or more): name; position; role], individuals
responsible/accountable for administering those components.
The organization verifies that all components within the

authorization boundary of the information system are not
duplicated
in other
information
system
component
inventories.
The organization
includes
assessed
component
configurations
and any approved deviations to current deployed
configurations
in the
information
systemrepository
component
The organization
provides
a centralized
forinventory.
the
inventory of information system components.
The organization employs automated mechanisms to support
tracking of information system components by geographic
location.
The organization:
Assigns [Assignment: organization-defined acquired
information system components] to an information system; and
Receives an acknowledgement from the information system
owner of this assignment.
The organization develops, documents, and implements a
configuration management plan for the information system
that:
Addresses roles, responsibilities, and configuration
management processes and procedures;
Establishes a process for identifying configuration items
throughout the system development life cycle and for
managing
configuration
of the
items;
Defines thethe
configuration
items
forconfiguration
the information
system and
places the configuration items under configuration
management;
and
Protects the configuration
management plan from unauthorized
disclosure and modification.
The organization assigns responsibility for developing the
configuration management process to organizational personnel
that
are not directly involved in information system
The organization:
development.
Uses software and associated documentation in accordance
with contract agreements and copyright laws;
Tracks the use of software and associated documentation
protected by quantity licenses to control copying and
distribution;
Controls and and
documents the use of peer-to-peer file sharing
technology to ensure that this capability is not used for the
unauthorized
distribution,
display,
performance,
or
The organization
establishes
the following
restrictions
on the
reproduction
of
copyrighted
work.
use of open source software: [Assignment: organization-defined
restrictions].
The organization:
Establishes [Assignment: organization-defined policies]
governing the installation of software by users;
Enforces software installation policies through [Assignment:
organization-defined methods]; and
Monitors policy compliance at [Assignment: organizationdefined frequency].
The information system alerts [Assignment: organizationdefined personnel or roles] when the unauthorized installation
of
software
is detected.
The
information
system prohibits user installation of software
without explicit privileged status.
The organization:
A contingency planning policy that addresses purpose, scope,
roles, responsibilities, management commitment, coordination
among
organizational
and compliance;
and
Procedures
the implementation
of the
contingency
planning policy and associated contingency planning controls;
and
Contingency planning policy [Assignment: organization-defined
frequency]; and
Contingency planning procedures [Assignment: organizationdefined frequency].
The organization:
Develops a contingency plan for the information system that:
Identifies essential missions and business functions and
associated contingency requirements;
Provides recovery objectives, restoration priorities, and metrics;
Addresses contingency roles, responsibilities, assigned
individuals with contact information;
Addresses maintaining essential missions and business
functions despite an information system disruption,
compromise,
or failure;
Addresses eventual,
full information system restoration without
deterioration of the security safeguards originally planned and
implemented;
and
Is reviewed and
approved by [Assignment: organization-defined
personnel or roles];
Distributes copies of the contingency plan to [Assignment:
organization-defined key contingency personnel (identified by
name
and/orcontingency
by role) andplanning
organizational
elements];
Coordinates
activities
with incident
handling activities;
Reviews the contingency plan for the information system
Updates the contingency plan to address changes to the
organization, information system, or environment of operation
and
problems encountered
contingency
plan
Communicates
contingencyduring
plan changes
to [Assignment:
implementation,
execution,
or
testing;
organization-defined key contingency personnel (identified by
name and/or by role) and organizational elements]; and
Protects the contingency plan from unauthorized disclosure and

modification.
The organization coordinates contingency plan development
with organizational elements responsible for related plans.
The organization conducts capacity planning so that necessary
capacity for information processing, telecommunications, and
environmental
support
exists
contingency
operations.
The organization
plans for
theduring
resumption
of essential
missions
and business functions within [Assignment: organizationdefined
time period]
of for
contingency
plan activation.
The organization
plans
the resumption
of all missions and
business functions within [Assignment: organization-defined
time
period] of contingency
plan
activation.of essential
The organization
plans for the
continuance
missions and business functions with little or no loss of
operational
continuity
sustains
thatofcontinuity
full
The organization
plansand
for the
transfer
essential until
missions
information
system
restoration
at
primary
processing
and/or
and business functions to alternate processing and/or storage
storage
sites.
sites
with
little or coordinates
no loss of operational
continuity
and sustains
The organization
its contingency
plan with
the
that
continuity
through
information
system
restoration
to
contingency plans of external service providers to ensure that
primary
processing
and/or storage
sites.
contingency
requirements
be satisfied.
The organization
identifies can
critical
information system assets
supporting essential missions and business functions.
The organization provides contingency training to information
system users consistent with assigned roles and
responsibilities:
Within [Assignment: organization-defined time period] of
assuming a contingency role or responsibility;
The organization incorporates simulated events into
contingency training to facilitate effective response by
personnel
in crisisemploys
situations.
The organization
automated mechanisms to provide a
more thorough and realistic contingency training environment.
The organization:
Tests the contingency plan for the information system
[Assignment: organization-defined frequency] using
[Assignment:
tests] toand
determine the
Reviews the contingency
plan test results;
effectiveness of the plan and the organizational readiness to
execute the plan;
Initiates corrective actions, if needed.
The organization coordinates contingency plan testing with
organizational elements responsible for related plans.
The organization tests the contingency plan at the alternate
processing site:
To familiarize contingency personnel with the facility and
available resources; and
To evaluate the capabilities of the alternate processing site to

support contingency operations.
The organization employs automated mechanisms to more
thoroughly and effectively test the contingency plan.
The organization includes a full recovery and reconstitution of
the information system to a known state as part of contingency
plan
testing. Incorporated into CP-2].
[Withdrawn:
The organization:
Establishes an alternate storage site including necessary
agreements to permit the storage and retrieval of information
system
and site provides information
Ensuresbackup
that theinformation;
alternate storage
security safeguards equivalent to that of the primary site.
The organization identifies an alternate storage site that is
separated from the primary storage site to reduce
susceptibility
to the
same threats.
The organization
configures
the alternate storage site to
facilitate recovery operations in accordance with recovery time
and
recovery point
objectives.
The organization
identifies
potential accessibility problems to
the alternate storage site in the event of an area-wide
disruption
or disaster and outlines explicit mitigation actions.
The organization:
Establishes an alternate processing site including necessary
agreements to permit the transfer and resumption of
[Assignment:
information
system
Ensures that equipment
and supplies
required to
transfer and
operations]
for
essential
missions/business
functions
within
resume operations are available at the alternate processing
[Assignment:
time
period
consistent
site
or contracts
are
in place
to support
delivery
to the
sitewith
Ensures
that
the
alternate
processing
site
provides
information
recovery
time
and
recovery
point
objectives]
when
the
primary
within
the
time
period
forprimary site.
security
safeguards
equivalent
to
those
of
the
processing
capabilities
are unavailable;
transfer/resumption;
and
The organization identifies an alternate processing site that is
separated from the primary processing site to reduce
susceptibility
to the
same threats.
The organization
identifies
potential accessibility problems to
the alternate processing site in the event of an area-wide
disruption
or disaster
and outlines
explicit
mitigation
The organization
develops
alternate
processing
site actions.
agreements that contain priority-of-service provisions in
accordance
with organizational
availability
requirements
The organization
prepares the alternate
processing
site so that
(including
recovery
time
objectives).
the site is ready to be used as the operational site supporting
essential
missions
and business
functions.
[Withdrawn:
Incorporated
into CP-7].
The organization plans and prepares for circumstances that
preclude returning to the primary processing site.
The organization establishes alternate telecommunications
services including necessary agreements to permit the
resumption
of [Assignment: organization-defined information
The organization:
system operations] for essential missions and business
functions within [Assignment: organization-defined time period]
when the primary telecommunications capabilities are
unavailable at either the primary or alternate processing or
storage sites.
Develops primary and alternate telecommunications service

agreements that contain priority-of-service provisions in
accordance
with organizationalService
availability
requirements
Requests Telecommunications
Priority
for all
(including
recovery
time
objectives);
and
telecommunications services used for national security
emergency
preparedness
in the event
that the primary and/or
The organization
obtains alternate
telecommunications
alternate
telecommunications
services
are provided
by a of
services to reduce the likelihood of sharing
a single point
common
carrier.
failure
with primary
telecommunications
services.
The organization
obtains
alternate telecommunications
services from providers that are separated from primary
service
providers to reduce susceptibility to the same threats.
The organization:
Requires primary and alternate telecommunications service
providers to have contingency plans;
Reviews provider contingency plans to ensure that the plans
meet organizational contingency requirements; and
Obtains evidence of contingency testing/training by providers
The organization tests alternate telecommunication services
The organization:
Conducts backups of user-level information contained in the
information system [Assignment: organization-defined
frequency
consistent
with recoveryinformation
time and recovery
point
Conducts backups
of system-level
contained
in the
objectives];
frequency
consistent
with recovery
time and
recovery point
Conducts backups
of information
system
documentation
objectives];
including security-related documentation [Assignment:
frequency
consistent
with recovery
time
Protects the confidentiality,
integrity,
and availability
of backup
and
recovery
point
objectives];
and
information at storage locations.
The organization tests backup information [Assignment:
organization-defined frequency] to verify media reliability and
information
integrity.
The organization
uses a sample of backup information in the
restoration of selected information system functions as part of
contingency
plan stores
testing.
The organization
backup copies of [Assignment:
organization-defined critical information system software and
other
security-related
information]
in a separate facility or in a
[Withdrawn:
Incorporated
into CP-9].
fire-rated container that is not collocated with the operational
system.
The organization transfers information system backup
information to the alternate storage site [Assignment:
time period
and transfer
rate consistent
The organization accomplishes
information
system
backup by
with
the
recovery
time
and
recovery
point
objectives].
maintaining a redundant secondary system that is not
collocated
with the
primarydual
system
and that can
be activated
The organization
enforces
authorization
for the
deletion or
without
loss
of
information
or
disruption
to
operations.
destruction of [Assignment: organization-defined backup
information].
The organization provides for the recovery and reconstitution of
the information system to a known state after a disruption,
compromise, or failure.
[Withdrawn: Incorporated into CP-4].

The information system implements transaction recovery for
systems that are transaction-based.
[Withdrawn: Addressed through tailoring procedures].
The organization provides the capability to restore information
system components within [Assignment: organization-defined
restoration
configuration-controlled and
[Withdrawn:time-periods]
Incorporatedfrom
into SI-13].
integrity-protected information representing a known,
operational state for the components.
The organization protects backup and restoration hardware,
firmware, and software.
The information system provides the capability to employ
[Assignment: organization-defined alternative communications
protocols]
in support
of maintaining
continuity
of operations.
The information
system,
when [Assignment:
organizationdefined conditions] are detected, enters a safe mode of
operation
with [Assignment:
restrictions of
The organization
safe
mode
of
operation].
alternative or supplemental security mechanisms] for satisfying
[Assignment:
organization-defined security functions] when the
The organization:
primary means of implementing the security function is
unavailable or compromised.
An identification and authentication policy that addresses
commitment,
organizational
and
implementation
of theentities,
identification
compliance;
and
and authentication policy and associated identification and
authentication
controls;
Reviews and updates
theand
current:
Identification and authentication policy [Assignment:
Identification and authentication procedures [Assignment:
The information system uniquely identifies and authenticates
organizational users (or processes acting on behalf of
organizational
users).
The information
system implements multifactor authentication
for network access to privileged accounts.
The information system implements multifactor authentication
for network access to non-privileged accounts.
for local access to privileged accounts.
for local access to non-privileged accounts.
The organization requires individuals to be authenticated with
an individual authenticator when a group authenticator is
employed.

for network access to privileged accounts such that one of the
factors
is provided
by a device
separate
from theauthentication
system
The information
system
implements
multifactor
gaining
access
and to
thenon-privileged
device meetsaccounts
[Assignment:
for network
access
such that one of
strength
of
mechanism
requirements].
the
factors
is
provided
by
a
device
separate
from
the system
The information system implements replay-resistant
gaining
access
and
the
device
meets
[Assignment:
authentication mechanisms for network access to privileged
strength of mechanism requirements].
accounts.
The information system implements replay-resistant
authentication mechanisms for network access to nonprivileged
accounts.
The information
system provides a single sign-on capability for
accounts
and services].
The information
system implements multifactor authentication
for remote access to privileged and non-privileged accounts
such
that one of system
the factors
is provided
by a deviceverifies
separate
The information
accepts
and electronically
from
the
system
gaining
access
and
the
device
meets
Personal Identity Verification (PIV) credentials.
[Assignment: organization-defined strength of mechanism
The
information system implements [Assignment: organizationrequirements].
defined out-of-band authentication] under [Assignment:
conditions].
uniquely identifies and authenticates
[Assignment: organization-defined specific and/or types of
devices]
before establishing
a [Selection
(one or more): local;
The information
system authenticates
[Assignment:
remote;
network]
connection.
organization-defined specific devices and/or types of devices]
before
establishing
[Selection
or more): local; remote;
[Withdrawn:
Incorporated
into (one
IA-3 (1)].
network] connection using bidirectional authentication that is
cryptographically based.
The organization:
Standardizes dynamic address allocation lease information and
the lease duration assigned to devices in accordance with
[Assignment:
lease to
information
Audits lease information
when assigned
a device. and lease
duration]; and
The organization ensures that device identification and
authentication based on attestation is handled by [Assignment:
configuration
management
process].by:
The organization manages
information
system identifiers
Receiving authorization from [Assignment: organization-defined
personnel or roles] to assign an individual, group, role, or
device
identifier;
Selecting
an identifier that identifies an individual, group, role,
or device;
Assigning the identifier to the intended individual, group, role,
or device;
Preventing reuse of identifiers for [Assignment: organizationdefined time period]; and
Disabling the identifier after [Assignment: organization-defined
time period of inactivity].
The organization prohibits the use of information system
account identifiers that are the same as public identifiers for
individual electronic mail accounts.
The organization requires that the registration process to

receive an individual identifier includes supervisor
authorization.
The organization requires multiple forms of certification of
individual identification be presented to the registration
authority.
The organization manages individual identifiers by uniquely
identifying each individual as [Assignment: organizationdefined
characteristic
identifying
individual
status].
The information
system
dynamically
manages
identifiers.
The organization coordinates with [Assignment: organizationdefined external organizations] for cross-organization
management
of identifiers.
The organization
requires that the registration process to
receive an individual identifier be conducted in person before a
designated
registration
authority.
The organization
manages
information system authenticators
by:
Verifying, as part of the initial authenticator distribution, the
identity of the individual, group, role, or device receiving the
authenticator;
Establishing initial authenticator content for authenticators
defined by the organization;
Ensuring that authenticators have sufficient strength of
mechanism for their intended use;
Establishing and implementing administrative procedures for
initial authenticator distribution, for lost/compromised or
damaged
for revoking authenticators;
Changing authenticators,
default content and
of authenticators
prior to information
system installation;
Establishing minimum and maximum lifetime restrictions and
reuse conditions for authenticators;
Changing/refreshing authenticators [Assignment: organizationdefined time period by authenticator type];
Protecting authenticator content from unauthorized disclosure
and modification;
Requiring individuals to take, and having devices implement,
specific security safeguards to protect authenticators; and
Changing authenticators for group/role accounts when
membership to those accounts changes.
The information system, for password-based authentication:
Enforces minimum password complexity of [Assignment:
organization-defined requirements for case sensitivity, number
of
characters,
mixthe
of following
upper-case
letters,oflower-case
letters,
Enforces
at least
number
changed characters
numbers,
and
special
characters,
including
minimum
when new passwords are created: [Assignment: organizationrequirements
for each type];
defined
number];
Stores and
transmits only cryptographically-protected
passwords;
Enforces password minimum and maximum lifetime restrictions
of [Assignment: organization-defined numbers for lifetime
minimum, lifetime maximum];
Prohibits password reuse for [Assignment: organization-defined

number] generations; and
Allows the use of a temporary password for system logons with
an immediate change to a permanent password.
The information system, for PKI-based authentication:
Validates certifications by constructing and verifying a
certification path to an accepted trust anchor including
checking
certificate status
Enforces authorized
accessinformation;
to the corresponding private key;
Maps the authenticated identity to the account of the individual
or group; and
Implements a local cache of revocation data to support path
discovery and validation in case of inability to access
revocation
information
viathat
the network.
The organization
requires
the registration process to
receive [Assignment: organization-defined types of and/or
specific
authenticators]
beautomated
conducted tools
[Selection:
in person;
The organization
employs
to determine
if by
a
trusted
third
party]
before
[Assignment:
password authenticators are sufficiently strong to satisfy
registration
authority]
with authorization
by [Assignment:
[Assignment:
requirements].
The
organization
requires
developers/installers
of information
personnel
or roles].
system components to provide unique authenticators or
change
default authenticators
prior to delivery/installation.
The organization
protects authenticators
commensurate with
the security category of the information to which use of the
authenticator
permits
access.
The organization
ensures
that unencrypted static
authenticators are not embedded in applications or access
scripts
or stored on
function keys.
The organization
implements
[Assignment: organizationdefined security safeguards] to manage the risk of compromise
due
to individualscoordinates
having accounts
on multiple information
The organization
with [Assignment:
organizationsystems.
defined external organizations] for cross-organization
management
of system
credentials.
The information
dynamically provisions identities.
The information system, for hardware token-based
authentication, employs mechanisms that satisfy [Assignment:
token
requirements].
The information system,
forquality
biometric-based
authentication,
employs mechanisms that satisfy [Assignment: organizationdefined
biometric
qualityprohibits
requirements].
The information
system
the use of cached
authenticators after [Assignment: organization-defined time
period].
The organization, for PKI-based authentication, employs a
deliberate organization-wide methodology for managing the
content
of PKI trust
stores
across allpath
platforms
The organization
uses
onlyinstalled
FICAM-approved
discovery and
including
networks,
operating
systems,
browsers,
and
validation products and services.
applications.
The information system obscures feedback of authentication
information during the authentication process to protect the
information
fromsystem
possible
exploitation/use
by unauthorized
The information
implements
mechanisms
for
individuals.
authentication to a cryptographic module that meet the
requirements of applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance for
such authentication.
The information system uniquely identifies and authenticates

non-organizational users (or processes acting on behalf of nonorganizational
users).
The information
system accepts and electronically verifies
Personal Identity Verification (PIV) credentials from other
federal
agencies.system accepts only FICAM-approved thirdThe information
party credentials.
The organization employs only FICAM-approved information
system components in [Assignment: organization-defined
information
systems]
to conforms
accept third-party
credentials.
The information
system
to FICAM-issued
profiles.
The information system accepts and electronically verifies
Personal Identity Verification-I (PIV-I) credentials.
The organization identifies and authenticates [Assignment:
organization-defined information system services] using
[Assignment:
security
safeguards].
The organization
ensures that service
providers
receive,
validate, and transmit identification and authentication
information.
The organization ensures that identification and authentication
decisions are transmitted between [Assignment: organizationdefined
services] requires
consistent
with
organizational
policies.
The organization
that
individuals
accessing
the
information system employ [Assignment: organization-defined
supplemental
authentication
techniques
or mechanisms]
under
The organization
requires users
and devices
to re-authenticate
specific
[Assignment:
circumstances
when [Assignment: organization-defined circumstances or or
situations].
situations
requiring re-authentication].
The organization:
An incident response policy that addresses purpose, scope,
among
organizational
and compliance;
and
Procedures
the implementation
of the
incident
response policy and associated incident response controls; and
Incident response policy [Assignment: organization-defined
frequency]; and
Incident response procedures [Assignment: organizationdefined frequency].
The organization provides incident response training to
information system users consistent with assigned roles and
responsibilities:
Within [Assignment: organization-defined time period] of
assuming an incident response role or responsibility;
The organization incorporates simulated events into incident

response training to facilitate effective response by personnel
in
crisis
situations.
The
organization
employs automated mechanisms to provide a
more thorough and realistic incident response training
environment.
The organization tests the incident response capability for the
frequency]
using employs
[Assignment:
The organization
automated
mechanisms totests]
moreto
determine
response
effectiveness
and documents
thoroughly the
andincident
effectively
test the
incident response
capability.
the results.
The organization coordinates incident response testing with
organizational elements responsible for related plans.
The organization:
Implements an incident handling capability for security
incidents that includes preparation, detection and analysis,
containment,
eradication,
and activities
recovery;with contingency
Coordinates incident
handling
planning activities; and
Incorporates lessons learned from ongoing incident handling
activities into incident response procedures, training, and
testing,
and implements
resulting mechanisms
changes accordingly.
The organization
employsthe
automated
to support
the incident handling process.
The organization includes dynamic reconfiguration of
components]
as part
of the[Assignment:
incident response
capability.
The organization
identifies
classes of incidents] and [Assignment: organization-defined
actions
to take in correlates
response to
classesinformation
of incidents]
to individual
ensure
The organization
incident
and
continuation
of
organizational
missions
and
business
functions.
incident responses to achieve an organization-wide perspective
on
awareness
and response.
Theincident
organization
implements
a configurable capability to
automatically disable the information system if [Assignment:
security incident
violations]
are detected.
The organization implements
handling
capability for
insider threats.
The organization coordinates incident handling capability for
insider threats across [Assignment: organization-defined
components
or elements
of the
organization].
The organization
coordinates
with
[Assignment: organizationdefined external organizations] to correlate and share
[Assignment:
incident
information] to
The organization
achieve
a
cross-organization
perspective
on
dynamic response capabilities] to effectivelyincident
respondawareness
to
and
moreincidents.
effective incident responses.
security
The organization coordinates incident handling activities
involving supply chain events with other organizations involved
in
the
supply chain.
The
organization
tracks and documents information system
security incidents.
The organization employs automated mechanisms to assist in
the tracking of security incidents and in the collection and
analysis
of incident information.
The organization:
Requires personnel to report suspected security incidents to

the organizational incident response capability within
[Assignment:
time
and
Reports security
incident information
to period];
[Assignment:
organization-defined authorities].
The organization employs automated mechanisms to assist in
the reporting of security incidents.
The organization reports information system vulnerabilities
associated with reported security incidents to [Assignment:
personnel
or roles].
The organization provides
security
incident information to other
organizations involved in the supply chain for information
systems
or information
system
components
related
to the
The organization
provides
an incident
response
support
incident.
resource, integral to the organizational incident response
capability
that offers
advice
and assistance
to userstoofincrease
the
The organization
employs
automated
mechanisms
information
system
for
the
handling
and
reporting
of
security
the availability of incident response-related information and
incidents.
support.
The organization:
Establishes a direct, cooperative relationship between its
incident response capability and external providers of
information
system protection
capability;
Identifies organizational
incident
responseand
team members to
the external providers.
The organization:
Develops an incident response plan that:
Provides the organization with a roadmap for implementing its
incident response capability;
Describes the structure and organization of the incident
response capability;
Provides a high-level approach for how the incident response
capability fits into the overall organization;
Meets the unique requirements of the organization, which
relate to mission, size, structure, and functions;
Defines reportable incidents;
Provides metrics for measuring the incident response capability
within the organization;
Defines the resources and management support needed to
effectively maintain and mature an incident response
capability;
Is reviewedand
and approved by [Assignment: organization-defined
personnel or roles];
Distributes copies of the incident response plan to
[Assignment: organization-defined incident response personnel
(identified
byincident
name and/or
by role)
organizational
Reviews the
response
plan and
[Assignment:
organizationelements];
defined frequency];
Updates the incident response plan to address

system/organizational changes or problems encountered during
plan
implementation,
execution,
testing;
Communicates
incident
responseor
plan
changes to [Assignment:
organization-defined incident response personnel (identified by
name
and/or
by role) response
and organizational
and
Protects
the incident
plan from elements];
unauthorized
disclosure and modification.
The organization responds to information spills by:
Identifying the specific information involved in the information
system contamination;
Alerting [Assignment: organization-defined personnel or roles]
of the information spill using a method of communication not
associated
with
the spill; information system or system
Isolating the
contaminated
component;
Eradicating the information from the contaminated information
system or component;
Identifying other information systems or system components
that may have been subsequently contaminated; and
Performing other [Assignment: organization-defined actions].
The organization assigns [Assignment: organization-defined
personnel or roles] with responsibility for responding to
information
spills.provides information spillage response
The organization
training [Assignment: organization-defined frequency].
The organization implements [Assignment: organizationdefined procedures] to ensure that organizational personnel
impacted
by information
can continue
to carry out
The organization
employsspills
[Assignment:
assigned
tasks
while
contaminated
systems
are
undergoing
security safeguards] for personnel exposed to
information
not
corrective
actions.
within
assigned
access
authorizations.
The organization establishes an integrated team of
forensic/malicious code analysts, tool developers, and real-time
operations
personnel.
The organization:
A system maintenance policy that addresses purpose, scope,
among
organizational
and compliance;
and
Procedures
the implementation
of the
system
maintenance policy and associated system maintenance
controls;
Reviews and
System maintenance policy [Assignment: organization-defined
frequency]; and
System maintenance procedures [Assignment: organizationdefined frequency].
The organization:
Schedules, performs, documents, and reviews records of
maintenance and repairs on information system components in
accordance
with
manufacturer
or vendoractivities,
specifications
and/or
Approves and
monitors
all maintenance
whether
organizational
requirements;
performed on site or remotely and whether the equipment is
serviced
site
or removedorganization-defined
to another location; personnel or
Requires on
that
[Assignment:
roles] explicitly approve the removal of the information system
or
systemequipment
components
organizational
facilities
for off-site
Sanitizes
to from
remove
all information
from associated
maintenance
or
repairs;
media prior to removal from organizational facilities for off-site
maintenance
or repairs;
Checks all potentially
impacted security controls to verify that
the controls are still functioning properly following maintenance
or
repair [Assignment:
actions; and organization-defined maintenanceIncludes
related information] in organizational maintenance records.
[Withdrawn: Incorporated into MA-2].
The organization:
Employs automated mechanisms to schedule, conduct, and
document maintenance and repairs; and
Produces up-to date, accurate, and complete records of all
maintenance and repair actions requested, scheduled, in
process,
and completed.
The organization
approves, controls, and monitors information
system maintenance tools.
The organization inspects the maintenance tools carried into a
facility by maintenance personnel for improper or unauthorized
modifications.
The organization checks media containing diagnostic and test
programs for malicious code before the media are used in the
information
system.
The organization
prevents the unauthorized removal of
maintenance equipment containing organizational information
by:
Verifying that there is no organizational information contained
on the equipment;
Sanitizing or destroying the equipment;
Retaining the equipment within the facility; or
Obtaining an exemption from [Assignment: organizationdefined personnel or roles] explicitly authorizing removal of the
equipment
from system
the facility.
The information
restricts the use of maintenance tools
to authorized personnel only.
The organization:
Approves and monitors nonlocal maintenance and diagnostic
activities;
Allows the use of nonlocal maintenance and diagnostic tools

only as consistent with organizational policy and documented
in
the security
for the information
system;
Employs
strongplan
authenticators
in the establishment
of nonlocal
maintenance and diagnostic sessions;
Maintains records for nonlocal maintenance and diagnostic
activities; and
Terminates session and network connections when nonlocal
maintenance is completed.
The organization:
Audits nonlocal maintenance and diagnostic sessions
[Assignment: organization-defined audit events]; and
Reviews the records of the maintenance and diagnostic
sessions.
The organization documents in the security plan for the
information system, the policies and procedures for the
establishment
and use of nonlocal maintenance and diagnostic
The organization:
connections.
Requires that nonlocal maintenance and diagnostic services be
performed from an information system that implements a
security
comparable
to the capability
Removescapability
the component
to be serviced
from theimplemented
information
on
the
system
being
serviced;
or
system prior to nonlocal maintenance or diagnostic services,
sanitizes
the component
regard
to organizational
The organization
protects(with
nonlocal
maintenance
sessions by:
information) before removal from organizational facilities, and
after the service is performed, inspects and sanitizes the
Employing
authenticators
component[Assignment:
(with regard to
potentially malicious
software)
that
are
replay
resistant];
and
before reconnecting the component to the information system.
Separating the maintenance sessions from other network
sessions with the information system by either:
Physically separated communications paths; or
Logically separated communications paths based upon
encryption.
The organization:
Requires the approval of each nonlocal maintenance session by
[Assignment: organization-defined personnel or roles]; and
Notifies [Assignment: organization-defined personnel or roles]
of the date and time of planned nonlocal maintenance.
to protect the integrity and confidentiality of nonlocal
maintenance
andsystem
diagnostic
communications.
The information
implements
remote disconnect
verification at the termination of nonlocal maintenance and
diagnostic
sessions.
The organization:
Establishes a process for maintenance personnel authorization

and maintains a list of authorized maintenance organizations or
personnel;
Ensures that non-escorted personnel performing maintenance
on the information system have required access authorizations;
and
Designates organizational personnel with required access
authorizations and technical competence to supervise the
maintenance
activities of personnel who do not possess the
The organization:
required access authorizations.
Implements procedures for the use of maintenance personnel
that lack appropriate security clearances or are not U.S.
citizens,
that personnel
include thewho
following
Maintenance
do notrequirements:
have needed access
authorizations, clearances, or formal access approvals are
escorted
and supervised
duringorthe
performance
of by
Prior to initiating
maintenance
diagnostic
activities
maintenance
and
diagnostic
activities
on
the
information
personnel who do not have needed access authorizations,
system
by approved
organizational
personnel
whoinformation
are fully
clearances
or formal
access
approvals,
all volatile
Develops
and
implements
alternate
security
safeguards
cleared,
have
appropriate
access
authorizations,
and
arein the
storage
components
within
the
information
system
are
event
an information
system component cannot be sanitized,
technically
qualified;
sanitized
and
all nonvolatile
storage
media are removed or
removed,
or
disconnected
from
the system.
The
organization
ensuresfrom
that
personnel
physically
disconnected
the
system performing
and secured; and
maintenance and diagnostic activities on an information
system
processing,
storing,
or personnel
transmitting
classified
The organization
ensures
that
performing
information
possess
security
clearances
and
formal access
maintenance and diagnostic activities on an information
approvals
for at least
the highest
classification
level and for all
system
processing,
storing,
or transmitting
classified
The
organization
ensures
that:
compartments
of
information
on
the
system.
information are U.S. citizens.
Cleared foreign nationals (i.e., foreign nationals with
appropriate security clearances), are used to conduct
maintenance
and diagnostic
activities
on classified
information
Approvals, consents,
and detailed
operational
conditions
systems
only
when
the
systems
are
jointly
owned
and
operated
regarding the use of foreign nationals to conduct maintenance
by
the
United
States
and
foreign
allied
governments,
or
owned
and
diagnostic activities
on
classified
information
systems
are
The
organization
ensures
that
non-escorted
personnel
and
operated
solely
by
foreign
allied
governments;
and
fully
documented
within
Memoranda
of
Agreements.
performing maintenance activities not directly associated with
the
in the physical
proximity
the
The information
organizationsystem
obtainsbut
maintenance
support
and/orofspare
system,
have
required
access
authorizations.
parts for [Assignment: organization-defined information system
components]
within
[Assignment:
The organization
performs
preventive
maintenance on time
period]
of
failure.
components]
at [Assignment:
time
The organization
performs predictive
maintenance on
intervals].
components]
at [Assignment:
time
The organization
employs automated
mechanisms to
transfer
intervals].
predictive maintenance data to a computerized maintenance
management
system.
The organization:
A media protection policy that addresses purpose, scope, roles,
among
organizational
and compliance;
and
Procedures
the implementation
of the
media
protection policy and associated media protection controls; and

Media protection policy [Assignment: organization-defined
frequency]; and
Media protection procedures [Assignment: organization-defined
frequency].
The organization restricts access to [Assignment: organizationdefined types of digital and/or non-digital media] to
[Assignment:
or roles].
into MP-4personnel
(2)].
[Withdrawn: Incorporated into SC-28 (1)].
The organization:
Marks information system media indicating the distribution
limitations, handling caveats, and applicable security markings
(if
any) of[Assignment:
the information;
and
Exempts
types of
information system media] from marking as long as the media
remain
within [Assignment: organization-defined controlled
The organization:
areas].
Physically controls and securely stores [Assignment:
organization-defined types of digital and/or non-digital media]
within
[Assignment:
controlled
areas]; and
Protects
information organization-defined
system media until the
media are
destroyed or sanitized using approved equipment, techniques,
and
procedures.
[Withdrawn:
Incorporated into SC-28 (1)].
The organization employs automated mechanisms to restrict
access to media storage areas and to audit access attempts
and
access granted.
The organization:
Protects and controls [Assignment: organization-defined types
of information system media] during transport outside of
controlled
areas using [Assignment:
Maintains accountability
for information
system media during
security
safeguards];
transport outside of controlled areas;
Documents activities associated with the transport of
information system media; and
Restricts the activities associated with the transport of
information system media to authorized personnel.
The organization employs an identified custodian during
transport of information system media outside of controlled
areas.

to protect the confidentiality and integrity of information stored
on
media during transport outside of controlled areas.
Thedigital
organization:
Sanitizes [Assignment: organization-defined information
system media] prior to disposal, release out of organizational
control,
release formechanisms
reuse using [Assignment:
organizationEmploysor
sanitization
with the strength
and
defined
sanitization
techniques
and
procedures]
in
accordance
integrity commensurate with the security category or
with
applicable
and organizational standards and
classification
of federal
the
information.
The
organization
reviews,
approves, tracks, documents, and
policies;
and
verifies media sanitization and disposal actions.
The organization tests sanitization equipment and procedures
[Assignment: organization-defined frequency] to verify that the
intended
sanitization
is being
achieved. sanitization techniques
The organization
applies
nondestructive
to portable storage devices prior to connecting such devices to
the
information
system under
following circumstances:
[Withdrawn:
Incorporated
into the
MP-6].
[Assignment: organization-defined circumstances requiring
sanitization of portable storage devices].
The organization enforces dual authorization for the
sanitization of [Assignment: organization-defined information
system
media]. provides the capability to purge/wipe
The organization
information from [Assignment: organization-defined
information
systems,
systemrestricts;
components,
or devices]
The organization
[Selection:
prohibits]
the useeither
of
remotely
or
under
the
following
conditions:
[Assignment:
[Assignment: organization-defined types of information system
conditions].
media]
on [Assignment:
The organization
prohibits
the use of portable information
storage devices
systems
or
system
components]
using
[Assignment:
in organizational information systems when such devices have
security safeguards].
no
owner.
Theidentifiable
organization
prohibits the use of sanitization-resistant
media in organizational information systems.
The organization:
Establishes [Assignment: organization-defined information
system media downgrading process] that includes employing
downgrading
mechanisms
with
[Assignment:
organizationEnsures that the
information
system
media downgrading
defined
strength
and
integrity];
process is commensurate with the security category and/or
classification
level of the
information to be removed
and the
Identifies [Assignment:
information
access
authorizations
of
the
potential
recipients
of
the
system media requiring downgrading]; and
downgraded information;
Downgrades the identified information system media using the
established process.
The organization documents information system media
downgrading actions.
The organization employs [Assignment: organization-defined
tests] of downgrading equipment and procedures to verify
correct performance [Assignment: organization-defined
frequency].
The organization downgrades information system media

containing [Assignment: organization-defined Controlled
Unclassified
Information
(CUI)]information
prior to public
release
in
The organization
downgrades
system
media
accordance
with applicable
federal
andtoorganizational
containing classified
information
prior
release to individuals
standards
and
policies.
without
required
access
authorizations
in
accordance with NSA
The organization:
standards and policies.
A physical and environmental protection policy that addresses
commitment,
organizational
implementation
of theentities,
physicaland
and
compliance;
and
environmental protection policy and associated physical and
environmental
protection
controls; and
Reviews and updates
the current:
Physical and environmental protection policy [Assignment:
Physical and environmental protection procedures
The organization:
Develops, approves, and maintains a list of individuals with
authorized access to the facility where the information system
resides;
Issues authorization credentials for facility access;
Reviews the access list detailing authorized facility access by
individuals [Assignment: organization-defined frequency]; and
Removes individuals from the facility access list when access is
no longer required.
The organization authorizes physical access to the facility
where the information system resides based on position or role.
The organization requires two forms of identification from
[Assignment: organization-defined list of acceptable forms of
identification]
for restricts
visitor access
to the access
facility to
where
the
The organization
unescorted
the facility
information
system
resides.
where the information system resides to personnel with
[Selection
(one or more): security clearances for all information
The organization:
contained within the system; formal access authorizations for
all information contained within the system; need for access to
Enforces
physical
access authorizations
at [Assignment:
all information
contained
within the system;
[Assignment:
entry/exit
points
to
the facility where the
organization-defined credentials]].
information
system access
resides]authorizations
by;
Verifying individual
before granting
access to the facility; and
Controlling ingress/egress to the facility using [Selection (one
or more): [Assignment: organization-defined physical access
control
systems/devices];
Maintains
physical access guards];
audit logs for [Assignment:
organization-defined entry/exit points];
Provides [Assignment: organization-defined security

safeguards] to control access to areas within the facility
officially
designated
as publicly
accessible;
Escorts visitors
and monitors
visitor
activity [Assignment:
organization-defined circumstances requiring visitor escorts
and
monitoring];
Secures
keys, combinations, and other physical access devices;
Inventories [Assignment: organization-defined physical access
devices] every [Assignment: organization-defined frequency];
and
Changes combinations and keys [Assignment: organizationdefined frequency] and/or when keys are lost, combinations are
compromised,
or enforces
individuals
are transferred
or terminated.
The organization
physical
to the
information system in addition to the physical access controls
for
facility at [Assignment:
physical
Thethe
organization
performs security
checks [Assignment:
spaces
containing
one
or
more
components
of
the
information
organization-defined frequency] at the physical boundary of
system].
the
or information
unauthorized
exfiltration
The facility
organization
employs system
guards for
and/or
alarms to monitor
of
information
or
removal
of
information
system
components.
every physical access point to the facility where the
information
system
resides
24 hours
percasings
day, 7 days
per week.
The organization
uses
lockable
physical
to protect
components]
fromemploys
unauthorized
physicalorganization-defined
access.
The organization
[Assignment:
security safeguards] to [Selection (one or more): detect;
prevent]
physical employs
tampering
or alterationtesting
of [Assignment:
The organization
a penetration
process that
hardware
components]
within the
includes [Assignment: organization-defined frequency],
information
system.
unannounced
attempts
tophysical
bypass or
circumvent
security
The organization
controls
access
to [Assignment:
controls
associated
with
physical
access
points
to
theand
facility.
organization-defined information system distribution
transmission
lines]
within physical
organizational
using
The organization
controls
accessfacilities
to information
[Assignment:
security
safeguards].
system output devices to prevent unauthorized individuals
from
obtaining the output.
The organization:
Controls physical access to output from [Assignment:
organization-defined output devices]; and
Ensures that only authorized individuals receive output from
the device.
Controls physical access to output from [Assignment:
organization-defined output devices]; and
Links individual identity to receipt of the output from the
device.
The organization marks [Assignment: organization-defined
information system output devices] indicating the appropriate
security
marking of the information permitted to be output
The organization:
from the device.
Monitors physical access to the facility where the information
system resides to detect and respond to physical security
incidents;
Reviews physical access logs [Assignment: organizationdefined frequency] and upon occurrence of [Assignment:
orand
potential
indications
of the
events];
Coordinates results ofevents
reviews
investigations
with
and
organizational incident response capability.
The organization monitors physical intrusion alarms and
surveillance equipment.
The organization employs automated mechanisms to recognize
[Assignment: organization-defined classes/types of intrusions]
and
initiate [Assignment:
The organization
employsorganization-defined
video surveillance ofresponse
[Assignment:
actions].
organization-defined operational areas] and retains video
recordings
for [Assignment:
time period].
The organization
monitors physical
access to the information
system in addition to the physical access monitoring of the
facility
as [Assignment:
[Withdrawn:
Incorporated
into PE-2 and PE-3].physical spaces
containing one or more components of the information
system].
The organization:
Maintains visitor access records to the facility where the
information system resides for [Assignment: organizationdefined
period];
Reviewstime
visitor
accessand
records [Assignment: organizationdefined frequency].
The organization employs automated mechanisms to facilitate
the maintenance and review of visitor access records.
[Withdrawn: Incorporated into PE-2].
The organization protects power equipment and power cabling
for the information system from damage and destruction.
The organization employs redundant power cabling paths that
are physically separated by [Assignment: organization-defined
distance].
The organization employs automatic voltage controls for
[Assignment: organization-defined critical information system
components].
The organization:
Provides the capability of shutting off power to the information
system or individual system components in emergency
situations;
Places emergency shutoff switches or devices in [Assignment:
organization-defined location by information system or system
component]
to facilitate
safe
and easy
accessfrom
for personnel;
Protects emergency
power
shutoff
capability
unauthorized
and
activation.
[Withdrawn: Incorporated into PE-10].
The organization provides a short-term uninterruptible power
supply to facilitate [Selection (one or more): an orderly
shutdown
of the information
system; transition
the supply
The organization
provides a long-term
alternateof
power
information
system
to
long-term
alternate
power]
in the event
for the information system that is capable of maintaining
of
a primary
power operational
source loss.capability in the event of an
minimally
required
extended loss of the primary power source.
The organization provides a long-term alternate power supply

for the information system that is:
Self-contained;
Not reliant on external power generation; and
Capable of maintaining [Selection: minimally required
operational capability; full operational capability] in the event
of
anorganization
extended loss
of the and
primary
powerautomatic
source. emergency
The
employs
maintains
lighting for the information system that activates in the event
of
a organization
power outageprovides
or disruption
and that
covers
The
emergency
lighting
foremergency
all areas
exits
and
evacuation
routes
within
the
facility.
within the facility supporting essential missions and business
functions.
The organization employs and maintains fire suppression and
detection devices/systems for the information system that are
supported
by an independent
source.
The organization
employs fire energy
detection
devices/systems for
the information system that activate automatically and notify
[Assignment:
personnel
or roles] and for
The organization
employs fire suppression
devices/systems
[Assignment:
emergency
in
the information system that provide automatic responders]
notification of
the
event
of
a
fire.
any
to employs
Assignment:
personnel
The activation
organization
an automatic
fire suppression
or
roles]
and
[Assignment:
emergency
capability for the information system when the facility is not
responders].
staffed
on a continuous
basis.
The organization
ensures
that the facility undergoes
[Assignment: organization-defined frequency] inspections by
authorized
and qualified inspectors and resolves identified
The organization:
deficiencies within [Assignment: organization-defined time
period].
Maintains temperature and humidity levels within the facility
where the information system resides at [Assignment:
levels];
and
Monitors temperatureacceptable
and humidity
levels
[Assignment:
The organization employs automatic temperature and humidity
controls in the facility to prevent fluctuations potentially
harmful
to the information
system.
The organization
employs temperature
and humidity
monitoring that provides an alarm or notification of changes
potentially
harmful
to personnel
or equipment.
The organization
protects
the information
system from damage
resulting from water leakage by providing master shutoff or
isolation
valves that
are accessible,
working
properly,
and
The organization
employs
automated
mechanisms
to detect
known
to
key
personnel.
the presence of water in the vicinity of the information system
and
alerts [Assignment:
personnel or
The organization
authorizes,
monitors, and controls
roles].
[Assignment: organization-defined types of information system
components]
entering and exiting the facility and maintains
The organization:
records of those items.
Employs [Assignment: organization-defined security controls]
at alternate work sites;
Assesses as feasible, the effectiveness of security controls at
alternate work sites; and
Provides a means for employees to communicate with

information security personnel in case of security incidents or
problems.
The organization positions information system components
within the facility to minimize potential damage from
[Assignment:
The organization
plans the locationphysical
or site ofand
theenvironmental
facility where
hazards]
and
to
minimize
the
opportunity
for
the information system resides with regard tounauthorized
physical and
access.
environmental
hazards
and
forinformation
existing facilities,
the
The organization
protects
the
systemconsiders
from
physical
andleakage
environmental
hazards in its risk
mitigation
information
due to electromagnetic
signals
strategy.
emanations.
The organization ensures that information system components,
associated data communications, and networks are protected
in
accordance
with national emissions and TEMPEST policies
The
organization:
and procedures based on the security category or classification
of the information.
Employs [Assignment: organization-defined asset location
technologies] to track and monitor the location and movement
of
[Assignment:
assets]
within
Ensures
that asset
location technologies
are employed
in
[Assignment:
controlled
areas];
and
accordance with applicable federal laws, Executive Orders,
directives,
regulations, policies, standards, and guidance.
The organization:
A security planning policy that addresses purpose, scope, roles,
among
organizational
and compliance;
and
Procedures
the implementation
of the
security
planning policy and associated security planning controls; and
Security planning policy [Assignment: organization-defined
frequency]; and
Security planning procedures [Assignment: organizationdefined frequency].
The organization:
Develops a security plan for the information system that:
Is consistent with the organizations enterprise architecture;
Explicitly defines the authorization boundary for the system;
Describes the operational context of the information system in
terms of missions and business processes;
Provides the security categorization of the information system
including supporting rationale;
Describes the operational environment for the information
system and relationships with or connections to other
information systems;
Provides an overview of the security requirements for the

system;
Identifies any relevant overlays, if applicable;
Describes the security controls in place or planned for meeting
those requirements including a rationale for the tailoring
decisions;
Is reviewedand
and approved by the authorizing official or
designated representative prior to plan implementation;
Distributes copies of the security plan and communicates
subsequent changes to the plan to [Assignment: organizationdefined
or plan
roles];
Reviewspersonnel
the security
for the information system
Updates the plan to address changes to the information
system/environment of operation or problems identified during
plan
implementation
or security
control assessments;
Protects
the security plan
from unauthorized
disclosureand
and
modification.
[Withdrawn: Incorporated into PL-7].
The organization plans and coordinates security-related
activities affecting the information system with [Assignment:
individuals
or groups] before conducting
into PL-2].
such activities in order to reduce the impact on other
organizational entities.
The organization:
Establishes and makes readily available to individuals requiring
access to the information system, the rules that describe their
responsibilities
andacknowledgment
expected behavior
with
regard
to
Receives a signed
from
such
individuals,
information
and
information
system
usage;
indicating that they have read, understand, and agree to abide
by
the rules
behavior,
authorizing
access to
Reviews
andof
updates
thebefore
rules of
behavior [Assignment:
information
and
the
information
system;
Requires individuals who have signed a previous version of the
rules of behavior to read and re-sign when the rules of behavior
are
The revised/updated.
organization includes in the rules of behavior, explicit
restrictions on the use of social media/networking sites and
posting
organizational
information
on public
websites.
[Withdrawn:
Incorporated
into Appendix
J, AR-2].
The organization:
Develops a security Concept of Operations (CONOPS) for the
information system containing at a minimum, how the
organization intends to operate the system from the
perspective of information security; and
Reviews and updates the CONOPS [Assignment: organizationdefined frequency].

The organization:
Develops an information security architecture for the
information system that:
Describes the overall philosophy, requirements, and approach
to be taken with regard to protecting the confidentiality,
integrity,
of organizational
information;
Describesand
howavailability
the information
security architecture
is
integrated into and supports the enterprise architecture; and
Describes any information security assumptions about, and
dependencies on, external services;
Reviews and updates the information security architecture
[Assignment: organization-defined frequency] to reflect
updates
in the
enterprise
architecture;
andarchitecture changes
Ensures that
planned
information
security
are reflected in the security plan, the security Concept of
Operations
(CONOPS),
and
The organization
designs
itsorganizational
security architecture using a
procurements/acquisitions.
defense-in-depth approach that:
Allocates [Assignment: organization-defined security
safeguards] to [Assignment: organization-defined locations and
architectural
layers];
and security safeguards operate in a
Ensures that the
allocated
coordinated and mutually reinforcing manner.
The organization requires that [Assignment: organizationdefined security safeguards] allocated to [Assignment:
locations
and architectural
layers]
are
The organization centrally
manages
[Assignment:
organizationobtained
from
different
suppliers.
defined security controls and related processes].
The organization:
A personnel security policy that addresses purpose, scope,
among
organizational
and compliance;
and
Procedures
the implementation
of the
personnel
security policy and associated personnel security controls; and
Personnel security policy [Assignment: organization-defined
frequency]; and
Personnel security procedures [Assignment: organizationdefined frequency].
The organization:
Assigns a risk designation to all organizational positions;
Establishes screening criteria for individuals filling those

positions; and
Reviews and updates position risk designations [Assignment:
The organization:
Screens individuals prior to authorizing access to the
information system; and
Rescreens individuals according to [Assignment: organizationdefined conditions requiring rescreening and, where
rescreening
is so ensures
indicated,
theindividuals
frequencyaccessing
of such rescreening].
The organization
that
an
information system processing, storing, or transmitting
classified
information
are that
cleared
and indoctrinated
The organization
ensures
individuals
accessing to
anthe
highest
classification
level
of
the
information
to
which
information system processing, storing, or transmittingthey
types of
have
access
on the system.
classified
information
which
require
formal
indoctrination,
are
The organization ensures that individuals accessing an
formally
indoctrinated
for
all
of
the
relevant
types
of
information system processing, storing, or transmitting
information
to
which they
have
access on the system.
information
requiring
special
protection:
Have valid access
authorizations
that are demonstrated by
assigned official government duties; and
Satisfy [Assignment: organization-defined additional personnel
screening criteria].
The organization, upon termination of individual employment:
Disables information system access within [Assignment:
organization-defined time period];
Terminates/revokes any authenticators/credentials associated
with the individual;
Conducts exit interviews that include a discussion of
[Assignment: organization-defined information security topics];
Retrieves all security-related organizational information
system-related property;
Retains access to organizational information and information
systems formerly controlled by terminated individual; and
Notifies [Assignment: organization-defined personnel or roles]
within [Assignment: organization-defined time period].
The organization:
Notifies terminated individuals of applicable, legally binding
post-employment requirements for the protection of
organizational
information;
and to sign an acknowledgment of
Requires terminated
individuals
post-employment requirements as part of the organizational
termination
process.
The organization
employs automated mechanisms to notify
[Assignment: organization-defined personnel or roles] upon
termination
of an individual.
The organization:
Reviews and confirms ongoing operational need for current

logical and physical access authorizations to information
systems/facilities
whenorganization-defined
individuals are reassigned
oror
Initiates [Assignment:
transfer
transferred
to actions]
other positions
within the organization;
reassignment
within [Assignment:
time
period
following
the formal
action];
Modifies
access
authorization
as transfer
needed to
correspond with
any changes in operational need due to reassignment or
transfer;
and
Notifies [Assignment:
organization-defined personnel or roles]
within [Assignment: organization-defined time period].
The organization:
Develops and documents access agreements for organizational
information systems;
Reviews and updates the access agreements [Assignment:
Ensures that individuals requiring access to organizational
information and information systems:
Sign appropriate access agreements prior to being granted
access; and
Re-sign access agreements to maintain access to
organizational information systems when access agreements
have
been updated
or [Assignment:
[Withdrawn:
Incorporated
into PS-3].organization-defined
frequency].
The organization ensures that access to classified information
requiring special protection is granted only to individuals who:
Have a valid access authorization that is demonstrated by
assigned official government duties;
Satisfy associated personnel security criteria; and
Have read, understood, and signed a nondisclosure agreement.
The organization:
Notifies individuals of applicable, legally binding postemployment requirements for protection of organizational
information;
and
Requires individuals
to sign an acknowledgment of these
requirements, if applicable, as part of granting initial access to
covered
information.
The organization:
Establishes personnel security requirements including security
roles and responsibilities for third-party providers;
Requires third-party providers to comply with personnel
security policies and procedures established by the
organization;
Documents personnel security requirements;
Requires third-party providers to notify [Assignment:

organization-defined personnel or roles] of any personnel
transfers
or terminations
of third-party personnel who possess
Monitors provider
compliance.
organizational credentials and/or badges, or who have
information system privileges within [Assignment: organizationThe
organization:
defined
time period]; and
Employs a formal sanctions process for individuals failing to
comply with established information security policies and
procedures;
and
Notifies [Assignment:
organization-defined personnel or roles]
within [Assignment: organization-defined time period] when a
formal
employee sanctions process is initiated, identifying the
The organization:
individual sanctioned and the reason for the sanction.
A risk assessment policy that addresses purpose, scope, roles,
among
organizational
and compliance;
and
Procedures
the implementation
of the
risk
assessment policy and associated risk assessment controls;
and
Risk assessment policy [Assignment: organization-defined
frequency]; and
Risk assessment procedures [Assignment: organization-defined
frequency].
The organization:
Categorizes information and the information system in
accordance with applicable federal laws, Executive Orders,
directives,
regulations,
standards,
and(including
guidance;
Documentspolicies,
the security
categorization
results
supporting rationale) in the security plan for the information
system;
and the authorizing official or authorizing official
Ensures that
designated representative reviews and approves the security
categorization
decision.
The organization:
Conducts an assessment of risk, including the likelihood and
magnitude of harm, from the unauthorized access, use,
disclosure,
modification,
or [Selection:
destructionsecurity
of the plan;
Documentsdisruption,
risk assessment
results in
information
system
and
the
information
it
processes,
stores, or
risk assessment report; [Assignment: organization-defined
transmits;
document]];
Reviews risk assessment results [Assignment: organizationdefined frequency];
Disseminates risk assessment results to [Assignment:
organization-defined personnel or roles]; and
Updates the risk assessment [Assignment: organization-defined
frequency] or whenever there are significant changes to the
information system or environment of operation (including the
identification of new threats and vulnerabilities), or other
conditions that may impact the security state of the system.
[Withdrawn: Incorporated into RA-3].

The organization:
Scans for vulnerabilities in the information system and hosted
applications [Assignment: organization-defined frequency
and/or
randomly
in accordance
Employs
vulnerability
scanning with
toolsorganization-defined
and techniques that
process]
and
when
new
vulnerabilities
potentially
affecting
facilitate interoperability among tools and
automate
parts ofthe
system/applications
are
identified
and
reported;
the
vulnerability
management
process
using
standards for:
Enumerating
platforms,
software
flaws,by
and
improper
configurations;
Formatting checklists and test procedures; and
Measuring vulnerability impact;
Analyzes vulnerability scan reports and results from security
control assessments;
Remediates legitimate vulnerabilities [Assignment:
organization-defined response times] in accordance with an
organizational
assessment
offrom
risk; the
andvulnerability scanning
Shares information
obtained
process and security control assessments with [Assignment:
personnel
or roles]scanning
to help eliminate
vulnerability
tools that
similar
vulnerabilities
in
other
information
(i.e.,system
include the capability to readily update thesystems
information
systemic
weaknesses
or
deficiencies).
vulnerabilities
to be
scanned.
The organization
updates
the information system
vulnerabilities scanned [Selection (one or more): [Assignment:
frequency];
prior to
a new scan;
when
vulnerability
scanning
procedures
new
vulnerabilities
are
identified
and
reported].
that can identify the breadth and depth of coverage (i.e.,
information
system
components
scanned
and vulnerabilities
The organization
determines
what
information
about the
checked).
information system is discoverable by adversaries and
subsequently
takes
[Assignment:
The information
system
implements
privileged access
corrective
actions].
authorization to [Assignment: organization-identified
information
system
components]
for selected
[Assignment:
The organization
employs
automated
mechanisms
to compare
vulnerability
scanning
activities].
the results of vulnerability scans over time to determine trends
in
information
system vulnerabilities.
[Withdrawn:
Incorporated
into CM-8].
The organization reviews historic audit logs to determine if a
vulnerability identified in the information system has been
previously
exploited.
[Withdrawn:
Incorporated into CA-8].
The organization correlates the output from vulnerability
scanning tools to determine the presence of multivulnerability/multi-hop
attack
vectors.surveillance
a technical
countermeasures survey at [Assignment: organization-defined
locations]
[Selection (one or more): [Assignment: organizationThe organization:
defined frequency]; [Assignment: organization-defined events
or indicators occur]].

A system and services acquisition policy that addresses
commitment,
organizational
implementation
of theentities,
system and
and
compliance;
and
services acquisition policy and associated system and services
acquisition
controls;
Reviews and
updatesand
the current:
System and services acquisition policy [Assignment:
System and services acquisition procedures [Assignment:
The organization:
Determines information security requirements for the
information system or information system service in
mission/business
processand
planning;
Determines, documents,
allocates the resources required
to protect the information system or information system
service
as part
of its capital
planning
and investment
control
Establishes
a discrete
line item
for information
security
in
process;
and
organizational programming and budgeting documentation.
The organization:
Manages the information system using [Assignment:
organization-defined system development life cycle] that
incorporates
informationinformation
security considerations;
Defines and documents
security roles and
responsibilities throughout the system development life cycle;
Identifies individuals having information security roles and
responsibilities; and
Integrates the organizational information security risk
management process into system development life cycle
activities.
The organization includes the following requirements,
descriptions, and criteria, explicitly or by reference, in the
acquisition
contractrequirements;
for the information system, system
Security functional
component, or information system service in accordance with
applicable federal laws, Executive Orders, directives, policies,
Security
strength
requirements;
regulations,
standards,
guidelines, and organizational
mission/business needs:
Security assurance requirements;
Security-related documentation requirements;
Requirements for protecting security-related documentation;
Description of the information system development
environment and environment in which the system is intended
to operate; and
Acceptance criteria.
The organization requires the developer of the information
system, system component, or information system service to
provide
a description
of the
functional
properties
of the security
The organization
requires
the
developer
of the information
controls
to
be
employed.
provide
design and
implementation
information
for the security
The organization
requires
the developer
of the information
controls
to be employed
thator
includes:
[Selection
(one
or to
system, system
component,
information
system
service
more):
security-relevant
external
system
interfaces;
high-level
demonstrate
the use of a system
development
life cycle that
[Withdrawn:
Incorporated
into CM-8
(9)].
design;
design;
source
code
or hardware
schematics;
includeslow-level
[Assignment:
state-of-the[Assignment:
design/implementation
practice system/security engineering methods, software
The
organization
requires
the developer
of the information
information]]
at
[Assignment:
level of
development
methods,
testing/evaluation/validation
system,
system
or information
detail].
techniques,
and component,
quality control
processes]. system service to:
Deliver the system, component, or service with [Assignment:

organization-defined security configurations] implemented; and
Use the configurations as the default for any subsequent
system, component, or service reinstallation or upgrade.
The organization:
Employs only government off-the-shelf (GOTS) or commercial
off-the-shelf (COTS) information assurance (IA) and IA-enabled
information
products
compose
an and/or
NSAEnsures thattechnology
these products
havethat
been
evaluated
approved
solution
to
protect
classified
information
when the
validated by NSA or in accordance with NSA-approved
networks
used
to
transmit
the
information
are
at
a
lower
procedures.
The
organization:
classification
level than the information being transmitted; and
Limits the use of commercially provided information assurance
(IA) and IA-enabled information technology products to those
products
been successfully
evaluated
against
Requires,that
if nohave
NIAP-approved
Protection
Profile exists
foraa
National
Information
Assurance
partnership
(NIAP)-approved
specific technology type but a commercially provided
Protection
Profile
for a specific
technology
type, if such a profile
information
technology
product
relies onof
cryptographic
The
organization
requires
the developer
the information
exists;
and
functionality
to enforce
its security
policy, that
the service to
system, system
component,
or information
system
cryptographic
module
is
FIPS-validated.
produce
a plan forrequires
the continuous
monitoring
security control
The organization
the developer
of theofinformation
effectiveness
that
contains
[Assignment:
level
of detail].
identify
early in the
systemonly
development
life
cycle, theproducts
The organization
employs
information
technology
functions,
ports,
protocols,
and
services
intended
forIdentity
on the FIPS 201-approved products list for Personal
organizational
use.
Verification
(PIV) capability implemented within organizational
The organization:
Obtains administrator documentation for the information
system, system component, or information system service that
describes:
Secure configuration, installation, and operation of the system,
component, or service;
Effective use and maintenance of security
functions/mechanisms; and
Known vulnerabilities regarding configuration and use of
administrative (i.e., privileged) functions;
Obtains user documentation for the information system,

system component, or information system service that
describes:
User-accessible security functions/mechanisms and how to
effectively use those security functions/mechanisms;
Methods for user interaction, which enables individuals to use
the system, component, or service in a more secure manner;
and
User responsibilities in maintaining the security of the system,
Documents attempts to obtain information system, system
component, or information system service documentation
when
such
documentation
either unavailable
or nonexistent
Protects
documentation
as is
required,
in accordance
with the risk
and
takes
[Assignment:
actions]
in
management strategy; and
response;
Distributes documentation to [Assignment: organizationdefined personnel or roles].
[Withdrawn: Incorporated into SA-4 (1)].
[Withdrawn: Incorporated into CM-10 and SI-7].
[Withdrawn: Incorporated into CM-11 and SI-7].
The organization applies information system security
engineering principles in the specification, design,
development,
implementation, and modification of the
The organization:
information system.
Requires that providers of external information system services
comply with organizational information security requirements
and
employ
security
Defines
and [Assignment:
documents government
oversight and
user roles
controls]
in
accordance
with
applicable
federal
laws,
Executive
and responsibilities with regard to external information
system
Orders,
directives,
policies, regulations, standards, and
services;
and
Employs
guidance;[Assignment: organization-defined processes,
methods, and techniques] to monitor security control
compliance
by external service providers on an ongoing basis.
The organization:
Conducts an organizational assessment of risk prior to the
acquisition or outsourcing of dedicated information security
services;
andthe acquisition or outsourcing of dedicated
Ensures that
information security services is approved by [Assignment:
organization-defined personnel or roles].
The organization requires providers of [Assignment:

organization-defined external information system services] to
identify
the functions,
ports, protocols,
andand
other
servicestrust
The organization
establishes,
documents,
maintains
required
for the
use
of suchservice
services.
relationships
with
external
providers based on
[Assignment:
security
requirements,
The organization
properties,
factors,
or
conditions
defining
acceptable
security safeguards] to ensure that the interests of trust
relationships].
[Assignment:
external
service (one
providers]
The organization
restricts the location
of [Selection
or
are
consistent
with
and
reflect
organizational
interests.
more): information processing; information/data; information
system
services] requires
to [Assignment:
The organization
the developer
of the information
locations]
based
on
[Assignment:
system, system component, or information
system service to:
requirements or conditions].
Perform configuration management during system, component,
or service [Selection (one or more): design; development;
implementation;
operation];
Document, manage,
and control the integrity of changes to
[Assignment: organization-defined configuration items under
configuration
management];
Implement only
organization-approved changes to the system,
Document approved changes to the system, component, or
service and the potential security impacts of such changes; and
Track security flaws and flaw resolution within the system,
component, or service and report findings to [Assignment:
personnel].
The organization requires
the developer of the information
enable
integrity verification
softwareconfiguration
and firmware
The organization
provides anofalternate
components.
management process using organizational personnel in the
absence
of a dedicated
developer
configuration
management
The organization
requires
the developer
of the information
team.
enable
integrity verification
ofdeveloper
hardware of
components.
The organization
requires the
the information
employ
tools for comparing
newly
generated
of
The organization
requires the
developer
of theversions
information
security-relevant
hardware
descriptions
and
software/firmware
source
and
object
codeofwith
previous versions.
maintain
the
integrity
the
between
the master
The organization
requires
themapping
developer
of the information
build
data
(hardware
drawings
and
software/firmware
code)to
system, system component, or information system service
describing
the current
of that
security-relevant
hardware,
execute
procedures
forversion
ensuring
security-relevant
The
organization
requires
the
developer
of the copy
information
software,
and
firmware
and
the
on-site
master
of to
the
data
hardware,
software,
and firmware
updates distributed
the
system,
system
component,
or information
system service
to:
for
the
current
version.
organization are exactly as specified by the master copies.
Create and implement a security assessment plan;
Perform [Selection (one or more): unit; integration; system;
regression] testing/evaluation at [Assignment: organizationdefined
andof
coverage];
Produce depth
evidence
the execution of the security assessment
plan and the results of the security testing/evaluation;
Implement a verifiable flaw remediation process; and
Correct flaws identified during security testing/evaluation.

employ
static code
analysis
tools
to identify
common
flaws and
The organization
requires
the
developer
of the
information
document
the results
of the analysis.
system, system
component,
or information system service to
perform
threat and vulnerability analyses and subsequent
The organization:
testing/evaluation of the as-built system, component, or
service.
Requires an independent agent satisfying [Assignment:
organization-defined independence criteria] to verify the
correct
of the agent
developer
security
assessment
Ensuresimplementation
that the independent
is either
provided
with
plan
and
the
evidence
produced
during
security
sufficient information to complete the verification process or
testing/evaluation;
and
granted
the authority
to obtain
such information.
The organization
requires
the developer
of the information
perform
a manualrequires
code review
of [Assignment:
organizationThe organization
the developer
of the information
defined
specific
code]
using
[Assignment:
processes,
procedures,
and/or
techniques].
perform
penetration
testing
[Assignment:
requires
theatdeveloper
of the
information
defined
breadth/depth]
and
with
[Assignment:
organizationsystem, system component, or information system service to
defined
constraints].
perform
attack surface
reviews.
The organization
requires
the developer of the information
verify
that the scope
of security
testing/evaluation
provides
The organization
requires
the developer
of the information
complete
coverage
of
required
security
controls
at
[Assignment:
depth
of testing/evaluation].
employ
dynamic
code
analysis
tools
to identify
common
The organization
protects
against
supply
chain threats
toflaws
the
and
document
the
results
of
the
analysis.
information system, system component, or information system
service
by employing
[Assignment:
The organization
employs
[Assignment:
security
safeguards]
as
part
of
a
comprehensive,
tailored acquisition strategies, contract tools, anddefense-inprocurement
breadth
information
security
strategy.
methods]
for
the
purchase
of
the
information
system,
system
The organization conducts a supplier review prior to entering
component,
or
information
system
service
from
suppliers.
into a contractual agreement to acquire the information
system,
system
component,
orSA-12
information
[Withdrawn:
Incorporated
into
(1)]. system service.
security safeguards] to limit harm from potential adversaries
identifying
targeting the
[Withdrawn:and
Incorporated
intoorganizational
SA-12 (1)]. supply chain.
The organization conducts an assessment of the information
system, system component, or information system service prior
to
selection,
acceptance,
or update.
The
organization
uses all-source
intelligence analysis of
suppliers and potential suppliers of the information system,
system
component,
or information
system
service.
The organization
employs
[Assignment:
Operations Security (OPSEC) safeguards] in accordance with
classification
guides
to protect
supply chain-related
information
The organization
employs
[Assignment:
for
the
information
system,
system
component,
or
information
security safeguards] to validate that the information system or
system
service.
system
component
received
is genuine
and
not been
The organization
employs
[Selection
(one
orhas
more):
altered.
organizational analysis, independent third-party analysis,
organizational penetration testing, independent third-party
penetration testing] of [Assignment: organization-defined
supply chain elements, processes, and actors] associated with
the information system, system component, or information
system service.
The organization establishes inter-organizational agreements

and procedures with entities involved in the supply chain for
the
system
component,
or information
The information
organizationsystem,
employs
[Assignment:
system
securityservice.
safeguards] to ensure an adequate supply of
[Assignment:
criticalunique
information
system
The organization
establishes and retains
identification
components].
of [Assignment: organization-defined supply chain elements,
processes,
and actors]
for theainformation
system,weaknesses
system
The organization
establishes
process to address
component,
or in
information
system
service.
or deficiencies
supply chain
elements
identified during
independent
or organizational assessments of such elements.
The organization:
Describes the trustworthiness required in the [Assignment:
organization-defined information system, information system
component,
or informationorganization-defined
system service] supporting
its
Implements [Assignment:
assurance
critical
missions/business
functions;
and
overlay] to achieve such trustworthiness.
The organization identifies critical information system
components and functions by performing a criticality analysis
for
[Assignment:
[Withdrawn:
Incorporated
into SA-20]. information systems,
information system components, or information system
services] at [Assignment: organization-defined decision points
The
organization:
in the
system development life cycle].
Requires the developer of the information system, system
component, or information system service to follow a
documented
development
process
that:
Explicitly addresses
security
requirements;
Identifies the standards and tools used in the development
process;
Documents the specific tool options and tool configurations
used in the development process; and
Documents, manages, and ensures the integrity of changes to
the process and/or tools used in development; and
Reviews the development process, standards, tools, and tool
options/configurations [Assignment: organization-defined
frequency]
to determine
thedeveloper
process, standards,
tools, and
The organization
requiresifthe
of the information
tool
options/configurations
selected
and
employed
satisfy
system, system component, or information system can
service
to:
[Assignment: organization-defined security requirements].
Define quality metrics at the beginning of the development
process; and
Provide evidence of meeting the quality metrics [Selection (one
or more): [Assignment: organization-defined frequency];
[Assignment:
program
review
milestones];
The organization
requires the developer
of the
information
upon
delivery].
select
and employrequires
a security
tool
during the
The organization
thetracking
developer
offor
theuse
information
development
process.
perform
a criticality
analysis
atdevelopers
[Assignment:
requires
that
perform
threat
defined
breadth/depth]
and
at
[Assignment:
organizationmodeling and a vulnerability analysis for the information
defined
decision
points in
the system development
life cycle].
system at
[Assignment:
breadth/depth]
that:
Uses [Assignment: organization-defined information concerning

impact, environment of operations, known or assumed threats,
and
acceptable
risk levels];
Employs
[Assignment:
organization-defined tools and
methods]; and
Produces evidence that meets [Assignment: organizationdefined acceptance criteria].
reduce
attack surfaces
to [Assignment:
The organization
requires
the developerorganization-defined
of the information
thresholds].
implement
an explicit
process
to continuously
the
The organization
requires
the developer
of the improve
information
development
process.
system, system component, or information system service to:
Perform an automated vulnerability analysis using
[Assignment: organization-defined tools];
Determine the exploitation potential for discovered
vulnerabilities;
Determine potential risk mitigations for delivered
vulnerabilities; and
Deliver the outputs of the tools and results of the analysis to
[Assignment: organization-defined personnel or roles].
use
modeling
and vulnerability
analyses
from similar
The threat
organization
approves,
documents,
and controls
the use of
systems,
components,
or
services
to
inform
the
current
live data in development and test environments for the
development
process.
information
system,
system
or the
information
system
The organization
requires
thecomponent,
developer of
information
service.
provide
an incident
response
The organization
requires
the plan.
developer of the information
system or system component to archive the system or
component
to be requires
releasedthe
or delivered
with the
The organization
developertogether
of the information
corresponding
evidence
supporting
the
final
security
review.
system, system component, or information system service
to
provide
[Assignment:
on the
The organization
requires
the developer of training]
the information
correct
use
and
operation
of
the
implemented
security
functions,
and/or mechanisms.
produce
a controls,
design
and
architecture that:
Is consistent
with specification
and supportive
ofsecurity
the organizations
security architecture which is established within and is an
integrated
of the organizations
architecture;
Accurately part
and completely
describes theenterprise
required security
functionality, and the allocation of security controls among
physical
and
logical
components;
Expresses
how
individual
security and
functions, mechanisms, and
services work together to provide required security capabilities
and
a unified approach
to the
protection.
The organization
requires
developer of the information
Produce, as an integral part of the development process, a
formal policy model describing the [Assignment: organizationdefined
elements
of organizational
security
policy]
to be and
Prove that
the formal
policy model is
internally
consistent
enforced;
and
sufficient to enforce the defined elements of the organizational
security policy when implemented.

Define security-relevant hardware, software, and firmware; and
Provide a rationale that the definition for security-relevant
hardware, software, and firmware is complete.
Produce, as an integral part of the development process, a
formal top-level specification that specifies the interfaces to
security-relevant
and additional
firmware ininformal
terms of
Show via proof to hardware,
the extentsoftware,
feasible with
exceptions,
error
messages,
and
effects;
demonstration as necessary, that the formal top-level
specification
is consistent
with thethat
formal
Show via informal
demonstration,
thepolicy
formalmodel;
top-level
specification completely covers the interfaces to securityrelevant
hardware,
software,
and
firmware; is an accurate
Show that
the formal
top-level
specification
description of the implemented security-relevant hardware,
software,
andsecurity-relevant
firmware; and hardware, software, and
Describe the
firmware mechanisms not addressed in the formal top-level
specification
but strictly
to the security-relevant
The organization
requiresinternal
the developer
of the information
hardware,
software,
and
firmware.
Produce, as an integral part of the development process, an
informal descriptive top-level specification that specifies the
interfaces
to security-relevant
hardware, software,
and
Show via [Selection:
informal demonstration,
convincing
firmware
in
terms
of
exceptions,
error
messages,
and
effects;
argument with formal methods as feasible] that the descriptive
top-level
is consistentthat
withthe
thedescriptive
formal policy
Show via specification
informal demonstration,
top-level
model;
specification completely covers the interfaces to securityrelevant
hardware,
software,
and firmware;
Show that
the descriptive
top-level
specification is an accurate
description of the interfaces to security-relevant hardware,
software,
andsecurity-relevant
firmware; and hardware, software, and
Describe the
firmware mechanisms not addressed in the descriptive toplevel
specificationrequires
but strictly
to of
thethe
security-relevant
The organization
the internal
developer
information
hardware,
software,
and
firmware.
Design and structure the security-relevant hardware, software,
and firmware to use a complete, conceptually simple protection
mechanism
with precisely
defined semantics;
and software,
Internally structure
the security-relevant
hardware,
and firmware with specific regard for this mechanism.
structure
security-relevant
hardware,
software,
and firmware to
The organization
requires the
developer
of the information
facilitate
testing.
structure
security-relevant
hardware,
software,
andprogram
firmware
The organization
implements
a tamper
protection
forto
facilitate
controlling
access
with
least
privilege.
the information system, system component, or information
system
service. employs anti-tamper technologies and
The organization
techniques during multiple phases in the system development
life cycle including design, development, integration,
operations, and maintenance.
The organization inspects [Assignment: organization-defined

information systems, system components, or devices]
[Selection
(one or more): at random; at [Assignment:
The organization:
organization-defined frequency], upon [Assignment:
organization-defined indications of need for inspection]] to
Develops
and implements anti-counterfeit policy and
detect tampering.
procedures that include the means to detect and prevent
counterfeit
components
from entering
information
Reports counterfeit
information
systemthe
components
to system;
and
[Selection (one or more): source of counterfeit component;
[Assignment:
external
reporting
The organization
trains [Assignment:
organizations];
[Assignment:
personnel
personnel or roles] to detect counterfeit information
system or
roles]].
components
(including
hardware,
software,
and firmware).
The organization
maintains
configuration
control
over
components]
awaiting
service/repair
and system
serviced/repaired
The organization
disposes
of information
components
components
awaiting
return
to
service.
using [Assignment: organization-defined techniques and
methods].
The organization scans for counterfeit information system
components [Assignment: organization-defined frequency].
The organization re-implements or custom develops
[Assignment: organization-defined critical information system
components].
The organization requires that the developer of [Assignment:
organization-defined information system, system component,
or
information
system
service]:
Have
appropriate
access
authorizations as determined by
assigned [Assignment: organization-defined official government
duties];
and
Satisfy [Assignment:
organization-defined additional personnel
screening criteria].
system, system component, or information system service take
[Assignment:
organization-defined actions] to ensure that the
The organization:
required access authorizations and screening criteria are
satisfied.
Replaces information system components when support for the
components is no longer available from the developer, vendor,
or
manufacturer;
andand documents approval for the continued
Provides
justification
use of unsupported system components required to satisfy
mission/business
needs. [Selection (one or more): in-house
The organization provides
support; [Assignment: organization-defined support from
external
providers]] for unsupported information system
The organization:
components.
A system and communications protection policy that addresses
commitment,
organizational
implementation
of theentities,
system and
and
compliance;
and
communications protection policy and associated system and
communications
protection
controls; and
Reviews and updates
the current:
System and communications protection policy [Assignment:

System and communications protection procedures
The information system separates user functionality (including
user interface services) from information system management
functionality.
The information system prevents the presentation of
information system management-related functionality at an
interface
for non-privileged
users.
The information
system isolates
security functions from
nonsecurity functions.
The information system utilizes underlying hardware separation
mechanisms to implement security function isolation.
The information system isolates security functions enforcing
access and information flow control from nonsecurity functions
and
from other security
functions.
The organization
minimizes
the number of nonsecurity
functions included within the isolation boundary containing
security
functions.
The organization
implements security functions as largely
independent modules that maximize internal cohesiveness
within
modules and
minimize security
couplingfunctions
between as
modules.
The organization
implements
a layered
structure minimizing interactions between layers of the design
and
avoiding anysystem
dependence
by unauthorized
lower layers on
the
The information
prevents
and
unintended
functionality
or
correctness
of
higher
layers.
information transfer via shared system resources.
[Withdrawn: Incorporated into SC-4].
The information system prevents unauthorized information
transfer via shared resources in accordance with [Assignment:
procedures]
when system
processing
protects against
or limits
the effects of
explicitly
switches
between
different
information
classification
the following types of denial of service attacks: [Assignment:
levels
or security categories.
types
of denial
service
attacks or to
restricts
the of
ability
of individuals
references
to
sources
for
such
information]
by
employing
launch [Assignment: organization-defined denial of service
[Assignment:
security safeguards].
attacks]
against
other information
systems.
The information
system
manages excess
capacity, bandwidth,
or other redundancy to limit the effects of information flooding
denial
of service attacks.
The organization:
Employs [Assignment: organization-defined monitoring tools] to
detect indicators of denial of service attacks against the
information
system; and
Monitors [Assignment:
organization-defined information system
resources] to determine if sufficient resources exist to prevent
effective
denial of
service
attacks.
The information
system
protects
the availability of resources by
allocating [Assignment: organization-defined resources] by
[Selection
(one or
more); priority; quota; [Assignment:
The information
system:
organization-defined security safeguards]].
Monitors and controls communications at the external
boundary of the system and at key internal boundaries within
the system;
Implements subnetworks for publicly accessible system

components that are [Selection: physically; logically] separated
from
internal
organizational
networks;
and
Connects
to external
networks
or information
systems only
through managed interfaces consisting of boundary protection
devices
arranged
in accordance
with an organizational security
[Withdrawn:
Incorporated
into SC-7].
architecture.
The organization limits the number of external network
connections to the information system.
The organization:
Implements a managed interface for each external
telecommunication service;
Establishes a traffic flow policy for each managed interface;
Protects the confidentiality and integrity of the information
being transmitted across each interface;
Documents each exception to the traffic flow policy with a
supporting mission/business need and duration of that need;
and
Reviews exceptions to the traffic flow policy [Assignment:
organization-defined frequency] and removes exceptions that
are
longer supported
bymanaged
an explicit
mission/business
need.
The no
information
system at
interfaces
denies network
communications traffic by default and allows network
communications
traffic by into
exception
(i.e., deny all, permit by
SC-7 (18)].
exception).
The information system, in conjunction with a remote device,
prevents the device from simultaneously establishing nonremote
connections
withroutes
the system
and communicating
The information
system
[Assignment:
organization-via
some
other
connection
to
resources
in
external
networks.
defined internal communications traffic] to [Assignment:
external networks] through authenticated
proxy servers at managed interfaces.
Detects and denies outgoing communications traffic posing a
threat to external information systems; and
Audits the identity of internal users associated with denied
communications.
The organization prevents the unauthorized exfiltration of
information across managed interfaces.
The information system only allows incoming communications
from [Assignment: organization-defined authorized sources] to
be
to [Assignment:
authorized
Therouted
organization
implements
[Assignment: organizationdestinations].
defined host-based boundary protection mechanisms] at
[Assignment:
information
system
The organization
isolates [Assignment:
components].
information security tools, mechanisms, and support
components] from other internal information system
components by implementing physically separate subnetworks
with managed interfaces to other components of the system.
The organization protects against unauthorized physical

connections at [Assignment: organization-defined managed
interfaces].
The information system routes all networked, privileged
accesses through a dedicated, managed interface for purposes
of
access
controlsystem
and auditing.
The
information
prevents discovery of specific system
components composing a managed interface.
The information system enforces adherence to protocol
formats.
The information system fails securely in the event of an
operational failure of a boundary protection device.
The information system blocks both inbound and outbound
communications traffic between [Assignment: organizationdefined
communication
independently
The information
system clients]
providesthat
theare
capability
to dynamically
configured
by
end
users
and
external
service
providers.
isolate/segregate [Assignment: organization-defined
information
system
components]
from
other components
of the
The organization
employs
boundary
protection
mechanisms
to
system.
separate [Assignment: organization-defined information system
components]
supporting
[Assignment:
The information
system implements
separate
network
missions
and/or
business
functions].
addresses (i.e., different subnets) to connect to systems in
different
securitysystem
domains.
The information
disables feedback to senders on
protocol format validation failure.
The information system protects the [Selection (one or more):
confidentiality; integrity] of transmitted information.
to [Selection (one or more): prevent unauthorized disclosure of
information;
detect
changes
to information]
during
The information
system
maintains
the [Selection
(one or more):
transmission
unless
otherwise
protected
by
[Assignment:
confidentiality; integrity] of information during preparation for
alternative
physical safeguards].
transmission
andsystem
during
reception.
The information
implements
cryptographic mechanisms
to protect message externals unless otherwise protected by
[Assignment:
alternative
physical
The information
system implements
cryptographic
mechanisms
safeguards].
to conceal or randomize communication patterns unless
otherwise
protected
by [Assignment:
[Withdrawn:
Incorporated
into SC-8]. organization-defined
alternative physical safeguards].
The information system terminates the network connection
associated with a communications session at the end of the
session
or after [Assignment:
time period]
The information
system establishes
a trusted communications
of
inactivity.
path between the user and the following security functions of
the
[Assignment:
security
The system:
information
system provides
a trusted communications
functions
to
include
at
a
minimum,
information
system
path that is logically isolated and distinguishable
from other
authentication
and
re-authentication].
paths.
The organization establishes and manages cryptographic keys
for required cryptography employed within the information
system
in accordance
with [Assignment:
The organization
maintains
availability oforganization-defined
information in the
requirements
for
key
generation,
storage, access,
event of the loss of cryptographicdistribution,
keys by users.
and destruction].
The organization produces, controls, and distributes symmetric
cryptographic keys using [Selection: NIST FIPS-compliant; NSAapproved] key management technology and processes.
The organization produces, controls, and distributes

asymmetric cryptographic keys using [Selection: NSA-approved
key
management
technology
processes; approved PKI
[Withdrawn:
Incorporated
intoand
SC-12].
Class 3 certificates or prepositioned keying material; approved
PKI Class 3 or Class 4 certificates and hardware security tokens
[Withdrawn:
Incorporated
into SC-12].
that protect the
users private
key].
The information system implements [Assignment: organizationdefined cryptographic uses and type of cryptography required
for
each use]Incorporated
in accordance
with
applicable federal laws,
[Withdrawn:
into
SC-13].
Executive Orders, directives, policies, regulations, and
standards.
[Withdrawn: Capability provided by AC-2, AC-3, AC-5, AC-6, SI3, SI-4, SI-5, SI-7, SI-10].
Prohibits remote activation of collaborative computing devices
with the following exceptions: [Assignment: organizationdefined
remote
activation
to be allowed];
Providesexceptions
an explicit where
indication
of use
to usersisphysically
present
and
at the devices.
The information system provides physical disconnect of
collaborative computing devices in a manner that supports
ease
of use. Incorporated into SC-7].
[Withdrawn:
The organization disables or removes collaborative computing
devices from [Assignment: organization-defined information
systems
or information
components]
in [Assignment:
The information
systemsystem
provides
an explicit indication
of
secure
work
areas].
current participants in [Assignment: organization-defined online
meetings
and teleconferences].
The information
system associates [Assignment: organizationdefined security attributes] with information exchanged
between
information
systems
andthe
between
system
The information
system
validates
integrity
of transmitted
components.
security attributes.
The organization issues public key certificates under an
[Assignment: organization-defined certificate policy] or obtains
public
key certificates from an approved service provider.
The organization:
Defines acceptable and unacceptable mobile code and mobile
code technologies;
Establishes usage restrictions and implementation guidance for
acceptable mobile code and mobile code technologies; and
Authorizes, monitors, and controls the use of mobile code

within the information system.
The information system identifies [Assignment: organizationdefined unacceptable mobile code] and takes [Assignment:
corrective
actions].
The organization ensures
that the
acquisition, development,
and use of mobile code to be deployed in the information
system
meets [Assignment:
mobile
code
The information
system prevents
the download and
execution
requirements].
of [Assignment: organization-defined unacceptable mobile
code].
The information system prevents the automatic execution of
mobile code in [Assignment: organization-defined software
applications]
and allows
enforces
[Assignment:
The organization
execution
of permitted
mobile code
actions]
prior
to
executing
the
code.
only in confined virtual machine environments.
The organization:
Voice over Internet Protocol (VoIP) technologies based on the
potential
to monitors,
cause damage
to the information
system
if used
Authorizes,
and controls
the use of VoIP
within
the
maliciously;
and
information system.
Provides additional data origin authentication and integrity
verification artifacts along with the authoritative name
resolution
data
the system
returns
response
to external
Provides the
means
to indicate
the in
security
status
of child
name/address
resolution
queries;
and
zones and (if the child supports secure resolution services) to
enable
verification
of a chain
trust among parent and child
[Withdrawn:
Incorporated
intoofSC-20].
domains, when operating as part of a distributed, hierarchical
namespace.
The information system provides data origin and integrity
protection artifacts for internal name/address resolution
queries.
The information system requests and performs data origin
authentication and data integrity verification on the
name/address
resolution responses
the system receives from
into SC-21].
authoritative sources.
The information systems that collectively provide
name/address resolution service for an organization are faulttolerant
and implement
role separation.
The information
system internal/external
protects the authenticity
of
communications sessions.
The information system invalidates session identifiers upon
user logout or other session termination.
The information system generates a unique session identifier
for each session with [Assignment: organization-defined
randomness
requirements]into
andSC-23
recognizes
(3)]. only session
identifiers that are system-generated.
The information system only allows the use of [Assignment:

organization-defined certificate authorities] for verification of
the
of protected
The establishment
information system
fails to sessions.
a [Assignment: organizationdefined known-state] for [Assignment: organization-defined
types
of failures] employs
preserving
[Assignment:
The organization
[Assignment:
system
state
information]
in
failure.
information system components] with minimal functionality
and
information system
storage.includes components specifically
The information
designed to be the target of malicious attacks for the purpose
of
detecting, Incorporated
deflecting, and
analyzing
[Withdrawn:
into
SC-35]. such attacks.
The information system includes: [Assignment: organizationdefined platform-independent applications].
The information system protects the [Selection (one or more):
confidentiality; integrity] of [Assignment: organization-defined
information
at rest].
The information
system implements cryptographic mechanisms
to prevent unauthorized disclosure and modification of
[Assignment:
information]
on stores offThe organization
removes from online
storage and
[Assignment:
information
system
line in a secure location [Assignment: organization-defined
components].
information].
The organization employs a diverse set of information
technologies for [Assignment: organization-defined information
system
components]
in thevirtualization
implementation
of the information
The organization
employs
techniques
to support
system.
the deployment of a diversity of operating systems and
applications
that are
changed
[Assignment:
employs
[Assignment:
defined
frequency].
concealment and misdirection techniques] for [Assignment:
information
systems]
into SC-29
(1)]. at [Assignment:
organization-defined time periods] to confuse and mislead
adversaries.
techniques] to introduce randomness into organizational
operations
and assets.
The organization
changes the location of [Assignment:
organization-defined processing and/or storage] [Selection:
[Assignment:
frequency];information
at random
The organization
employs realistic, time
but misleading
time
intervals]].
in [Assignment: organization-defined information system
components]
withemploys
regard to
its security state
or posture.
The organization
[Assignment:
techniques] to hide or conceal [Assignment: organizationdefined
information system components].
The organization:
Performs a covert channel analysis to identify those aspects of
communications within the information system that are
potential
for covert
[Selection
(one or
more): storage;
Estimatesavenues
the maximum
bandwidth
of those
channels.
timing] channels; and
The organization tests a subset of the identified covert
channels to determine which channels are exploitable.
The organization reduces the maximum bandwidth for
identified covert [Selection (one or more); storage; timing]
channels to [Assignment: organization-defined values].
The organization measures the bandwidth of [Assignment:

organization-defined subset of identified covert channels] in
the
of information
the information
system.
The operational
organizationenvironment
partitions the
system
into
components]
residing in separate
physical domains or
into SC-8].
environments based on [Assignment: organization-defined
circumstances for physical separation of components].
The information system at [Assignment: organization-defined
information system components]:
Loads and executes the operating environment from hardwareenforced, read-only media; and
Loads and executes [Assignment: organization-defined
applications] from hardware-enforced, read-only media.
information system components] with no writeable storage that
is
persistent
across
component
restart or
on/off.prior to
The
organization
protects
the integrity
of power
information
storage on read-only media and controls the media after such
information
has been recorded onto the media.
The organization:
Employs hardware-based, write-protect for [Assignment:
organization-defined information system firmware
components];
and procedures for [Assignment: organizationImplements specific
defined authorized individuals] to manually disable hardware
write-protect
for system
firmware
modifications
and re-enable
the
The information
includes
components
that proactively
write-protect
prior
to
returning
to
operational
mode.
seek to identify malicious websites and/or web-based malicious
code.
The organization distributes [Assignment: organization-defined
processing and storage] across multiple physical locations.
The organization employs polling techniques to identify
potential faults, errors, or compromises to [Assignment:
distributed
processing
and storage
[Assignment:
components].
out-of-band channels] for the physical delivery or electronic
transmission
of [Assignment:
information,
The organization
information
system
components,
or
devices]
to
[Assignment:
security safeguards] to ensure that only [Assignment:
individuals
or
systems].
individuals
or information
information
systems]
[Assignment:
receive
the
[Assignment:
information,
operations security safeguards] to protect key organizational
information
system
components,
ordevelopment
devices].
information
throughout
system
life cycle.
The information
system the
maintains
a separate execution
domain
for each executing process.
The information system implements underlying hardware
separation mechanisms to facilitate process separation.
The information system maintains a separate execution domain
for each thread in [Assignment: organization-defined multithreaded
processing].
The information
system protects external and internal
[Assignment: organization-defined wireless links] from
[Assignment:
types
of signal parameter
The information
system implements
cryptographic
mechanisms
attacks
or
references
to
sources
for
such
attacks].
that achieve [Assignment: organization-defined level of
protection] against the effects of intentional electromagnetic
interference.

to reduce the detection potential of wireless links to
[Assignment:
level
of reduction].
The information
system implements
cryptographic
mechanisms
to identify and reject wireless transmissions that are deliberate
attempts
to achieve
imitative
or manipulative
communications
The information
system
implements
cryptographic
mechanisms
deception
based
on
signal
parameters.
to prevent the identification of [Assignment: organizationdefined
wireless transmitters]
by using
the transmitter
signal
The organization
physically disables
or removes
[Assignment:
parameters.
organization-defined connection ports or input/output devices]
on
organization-defined information systems or
The[Assignment:
information system:
information system components].
Prohibits the remote activation of environmental sensing
capabilities with the following exceptions: [Assignment:
exceptions
activation of
Provides an explicit indication
of where
sensorremote
use to [Assignment:
sensors
is
allowed];
and
organization-defined class of users].
The organization ensures that the information system is
configured so that data or information collected by the
[Assignment:
sensors]
is only reported to
The organization
employs the following
measures:
authorized
individuals
or
roles.
[Assignment: organization-defined measures], so that data or
information
collected
by [Assignment:
The organization
prohibits
the use of devices
possessing
sensors]
is
only
used
for
authorized
purposes.
[Assignment: organization-defined environmental sensing
capabilities]
in [Assignment: organization-defined facilities,
The organization:
areas, or systems].
components]
based onand
thecontrols
potential
touse
cause
damage
to the
Authorizes, monitors,
the
of such
components
information
system
if
used
maliciously;
and
within the information system.
The organization employs a detonation chamber capability
within [Assignment: organization-defined information system,
system
component, or location].
The organization:
A system and information integrity policy that addresses
commitment,
organizational
implementation
of theentities,
system and
and
compliance;
and
information integrity policy and associated system and
information
and
Reviews andintegrity
updatescontrols;
the current:
System and information integrity policy [Assignment:
System and information integrity procedures [Assignment:
The organization:
Identifies, reports, and corrects information system flaws;

Tests software and firmware updates related to flaw
remediation for effectiveness and potential side effects before
installation;
Installs security-relevant software and firmware updates within
[Assignment: organization-defined time period] of the release
of
the updates;
and
Incorporates
flaw
remediation into the organizational
configuration management process.
The organization centrally manages the flaw remediation
process.
The organization employs automated mechanisms
[Assignment: organization-defined frequency] to determine the
state
of information system components with regard to flaw
The organization:
remediation.
Measures the time between flaw identification and flaw
remediation; and
Establishes [Assignment: organization-defined benchmarks] for
taking corrective actions.
The organization installs [Assignment: organization-defined
security-relevant software and firmware updates] automatically
to
[Assignment:
information
system
The
organizationorganization-defined
removes [Assignment:
components].
software and firmware components] after updated versions
have
been installed.
The organization:
Employs malicious code protection mechanisms at information
system entry and exit points to detect and eradicate malicious
code;
Updates malicious code protection mechanisms whenever new
releases are available in accordance with organizational
configuration
management
policy andmechanisms
procedures; to:
Configures malicious
code protection
Perform periodic scans of the information system [Assignment:
organization-defined frequency] and real-time scans of files
from
external
at [Selection
(one or
more);
endpoint;
[Selection
(onesources
or more):
block malicious
code;
quarantine
network
entry/exit
points]
as
the
files
are
downloaded,
opened,
malicious code; send alert to administrator; [Assignment:
or
executed in accordance
with organizational
securitycode
policy;
response
to malicious
Addresses
the receiptaction]]
of falsein
positives
during
malicious code
and
detection;
anderadication and the resulting potential impact on
detection and
the
ofcentrally
the information
system.
The availability
organization
manages
malicious code protection
mechanisms.
The information system automatically updates malicious code
protection mechanisms.
The information system updates malicious code protection

mechanisms only when directed by a privileged user.
The organization:
Tests malicious code protection mechanisms [Assignment:
organization-defined frequency] by introducing a known
benign,
non-spreading
test case
information
system;
Verifies that
both detection
of theinto
testthe
case
and associated
and
incident reporting occur.
The information system implements nonsignature-based
malicious code detection mechanisms.
The information system detects [Assignment: organizationdefined unauthorized operating system commands] through
the
application
programming
at [Assignment:
The kernel
information
system
implements interface
[Assignment:
organizationorganization-defined
information
system
hardware
defined security safeguards] to authenticate [Assignment:
components]
and [Selection
or more): issues a warning;
remote (one
commands].
The
organization:
audits
the command execution; prevents the execution of the
command].
Employs [Assignment: organization-defined tools and
techniques] to analyze the characteristics and behavior of
malicious
code;
Incorporates
theand
results from malicious code analysis into
organizational incident response and flaw remediation
processes.
The organization:
Monitors the information system to detect:
Attacks and indicators of potential attacks in accordance with
[Assignment: organization-defined monitoring objectives]; and
Unauthorized local, network, and remote connections;
Identifies unauthorized use of the information system through
[Assignment: organization-defined techniques and methods];
Deploys monitoring devices:
Strategically within the information system to collect
organization-determined essential information; and
At ad hoc locations within the system to track specific types of
transactions of interest to the organization;
Protects information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion;
Heightens the level of information system monitoring activity
whenever there is an indication of increased risk to
organizational
operations
assets,
individuals,system
other
Obtains legal opinion
withand
regard
to information
organizations,
or
the
Nation
based
on
law
enforcement
monitoring activities in accordance with applicable federal
information,
intelligence
information,
or other
sources
laws, Executive
Orders, directives,
policies,
or credible
regulations;
and
of information;
Provides [Assignment: organization-defined information system

monitoring information] to [Assignment: organization-defined
personnel
or roles]
[Selection
or more):
as needed;
The organization
connects
and(one
configures
individual
intrusion
[Assignment:
frequency]].
detection tools into an information system-wide intrusion
detection
system.employs automated tools to support near
The organization
real-time analysis of events.
The organization employs automated tools to integrate
intrusion detection tools into access control and flow control
mechanisms
for system
rapid response
toinbound
attacks and
by enabling
The information
monitors
outbound
reconfiguration
of
these
mechanisms
in
support
of attack
communications traffic [Assignment: organization-defined
isolation
and
elimination.
frequency]
for unusual
unauthorized
activities
or conditions.
The information
systemor
alerts
[Assignment:
organizationdefined personnel or roles] when the following indications of
compromise
or potential compromise
occur: [Assignment:
into AC-6 (10)].
organization-defined compromise indicators].
The information system notifies [Assignment: organizationdefined incident response personnel (identified by name and/or
by
role)] of detected
suspicious
events and takes [Assignment:
[Withdrawn:
Incorporated
into SI-4].
organization-defined least-disruptive actions to terminate
suspicious events].
The organization tests intrusion-monitoring tools [Assignment:
The organization makes provisions so that [Assignment:
organization-defined encrypted communications traffic] is
visible
to [Assignment:
information
The organization
analyzes
outbound communications
traffic at
system
monitoring
tools].
the external boundary of the information system and selected
[Assignment:
interior
points within
the
The organization
employs automated
mechanisms
to alert
system
(e.g.,
subnetworks,
subsystems)]
to
discover
security personnel of the following inappropriate or unusual
anomalies.
activities
with security implications: [Assignment: organizationThe organization:
defined activities that trigger alerts].
Analyzes communications traffic/event patterns for the
information system;
Develops profiles representing common traffic patterns and/or
events; and
Uses the traffic/event profiles in tuning system-monitoring
devices to reduce the number of false positives and the
number
of false negatives.
The organization
employs a wireless intrusion detection system
to identify rogue wireless devices and to detect attack
attempts
and potential
compromises/breaches
tosystem
the
The organization
employs
an intrusion detection
to
information
system.
monitor wireless communications traffic as the traffic passes
from
wireless to wireline
networks.
The organization
correlates
information from monitoring tools
employed throughout the information system.
The organization correlates information from monitoring
physical, cyber, and supply chain activities to achieve
integrated,
organization-wide
situational
awareness. traffic at
The organization
analyzes outbound
communications
the external boundary of the information system (i.e., system
perimeter) and at [Assignment: organization-defined interior
points within the system (e.g., subsystems, subnetworks)] to
detect covert exfiltration of information.
The organization implements [Assignment: organizationdefined additional monitoring] of individuals who have been
identified
by [Assignment:
sources] as
The organization
implements
[Assignment: organizationposing
increased
level of risk.
definedan
additional
monitoring]
of privileged users.
The organization implements [Assignment: organizationdefined additional monitoring] of individuals during
[Assignment:
probationary
The information
system detects network
servicesperiod].
that have not
been authorized or approved by [Assignment: organizationdefined
authorization
or approval
processes]
and [Selection
The organization
implements
[Assignment:
organization(one
or
more):
audits;
alerts
[Assignment:
defined host-based monitoring mechanisms] at [Assignment:
personnel
or roles]]. information system components].
discovers, collects, distributes, and
uses indicators of compromise.
The organization:
Receives information system security alerts, advisories, and
directives from [Assignment: organization-defined external
organizations]
on an
ongoing
basis;advisories, and directives as
Generates internal
security
alerts,
deemed necessary;
Disseminates security alerts, advisories, and directives to:
[Selection (one or more): [Assignment: organization-defined
personnel
orsecurity
roles]; [Assignment:
Implements
directives in accordance
with established
elements
within
the
organization];
organizationtime frames, or notifies the issuing [Assignment:
organization of
the degree
defined
external
organizations]];
and
of
noncompliance.
The organization employs automated mechanisms to make
security alert and advisory information available throughout
the
The organization.
information system:
Verifies the correct operation of [Assignment: organizationdefined security functions];
Performs this verification [Selection (one or more):
[Assignment: organization-defined system transitional states];
upon
command
by user
with appropriate privilege;
Notifies
[Assignment:
personnel or roles]
[Assignment:
frequency]];
of failed security verification tests; and
[Selection (one or more): shuts the information system down;
restarts the information system; [Assignment: organizationdefined
alternative
action(s)]]
[Withdrawn:
Incorporated
into when
SI-6]. anomalies are discovered.
The information system implements automated mechanisms to
support the management of distributed security testing.
The organization reports the results of security function
verification to [Assignment: organization-defined personnel or
roles].
The organization employs integrity verification tools to detect
unauthorized changes to [Assignment: organization-defined
software,
firmware,
and information].
The information
system
performs an integrity check of
[Assignment: organization-defined software, firmware, and
information] [Selection (one or more): at startup; at
[Assignment: organization-defined transitional states or
security-relevant events]; [Assignment: organization-defined
frequency]].
The organization employs automated tools that provide

notification to [Assignment: organization-defined personnel or
roles]
upon discovering
discrepancies
during integrity
The organization
employs
centrally managed
integrity
verification.
verification tools.
[Withdrawn: Incorporated into SA-12].
The information system automatically [Selection (one or more):
shuts the information system down; restarts the information
system;
implements
[Assignment:
The information
system
implements
cryptographic mechanisms
security
safeguards]]
when
integrity
violations
are discovered.
to detect unauthorized changes to software,
firmware,
and
information.
The organization incorporates the detection of unauthorized
[Assignment: organization-defined security-relevant changes to
the
organizational
incident
The information
information system]
system, into
uponthe
detection
of a potential
integrity
response
capability.
violation, provides the capability to audit the event and
initiates
the following
actions:
[Selection
(oneoforthe
more):
The information
system
verifies
the integrity
boot
generates
an
audit
record;
alerts
current
user;
alerts
process of [Assignment: organization-defined devices].
[Assignment: organization-defined personnel or roles];
The
information
system implements
[Assignment:
[Assignment:
other
actions]]. organizationdefined security safeguards] to protect the integrity of boot
firmware
in [Assignment:
devices].
The organization
requires organization-defined
that [Assignment: organizationdefined user-installed software] execute in a confined physical
or
virtual
machinerequires
environment
with
limitedof
privileges.
The
organization
that the
integrity
[Assignment:
organization-defined user-installed software] be verified prior to
execution.
The organization allows execution of binary or machineexecutable code obtained from sources with limited or no
warranty
and without the provision of source code only in
The organization:
confined physical or virtual machine environments and with the
explicit approval of [Assignment: organization-defined
Prohibits
of binary or machine-executable code from
personnelthe
or use
roles].
sources with limited or no warranty and without the provision
of
sourceexceptions
code; and to the source code requirement only for
Provides
compelling mission/operational requirements and with the
approval
of the authorizing
official. cryptographic mechanisms
The information
system implements
to authenticate [Assignment: organization-defined software or
firmware
components]
prior
to installation.
The organization
does not
allow
processes to execute without
supervision for more than [Assignment: organization-defined
time
period].
The organization:
Employs spam protection mechanisms at information system
entry and exit points to detect and take action on unsolicited
messages;
andprotection mechanisms when new releases are
Updates spam
available in accordance with organizational configuration
management
policy
and procedures.
The organization
centrally
manages spam protection
mechanisms.
The information system automatically updates spam protection
mechanisms.
The information system implements spam protection

mechanisms with a learning capability to more effectively
identify
legitimate
communications
[Withdrawn:
Incorporated
into AC-2,traffic.
AC-3, AC-5, AC-6].
The information system checks the validity of [Assignment:
organization-defined information inputs].
Provides a manual override capability for input validation of
[Assignment: organization-defined inputs];
Restricts the use of the manual override capability to only
[Assignment: organization-defined authorized individuals]; and
Audits the use of the manual override capability.
The organization ensures that input validation errors are
reviewed and resolved within [Assignment: organizationdefined
time period].
The information
system behaves in a predictable and
documented manner that reflects organizational and system
objectives
when invalid
inputs
are received.
The organization
accounts
for timing
interactions among
information system components in determining appropriate
responses
for invalid
inputs.
The organization
restricts
the use of information inputs to
[Assignment: organization-defined trusted sources] and/or
[Assignment:
formats].
The information
system:
Generates error messages that provide information necessary
for corrective actions without revealing information that could
be
exploited
adversaries;
Reveals
errorby
messages
only and
to [Assignment: organizationdefined personnel or roles].
The organization handles and retains information within the
information system and information output from the system in
accordance
with applicable federal laws, Executive Orders,
The organization:
directives, policies, regulations, standards, and operational
requirements.
Determines mean time to failure (MTTF) for [Assignment:
organization-defined information system components] in
specific
of operation;
andcomponents and a
Providesenvironments
substitute information
system
means to exchange active and standby components at
[Assignment:
substitution
criteria].
The organization
takes information MTTF
system
components
out of
service by transferring component responsibilities to substitute
components
no later than into
[Assignment:
SI-7 (16)].organization-defined
fraction or percentage] of mean time to failure.
The organization manually initiates transfers between active
and standby information system components [Assignment:
frequency]system
if the mean
time tofailures
failure are
The organization, if information
component
exceeds
[Assignment:
time
period].
detected:
Ensures that the standby components are successfully and

transparently installed within [Assignment: organizationdefined
time
period];
and activates [Assignment: organization[Selection
(one
or more):
defined alarm]; automatically shuts down the information
system].
The organization provides [Selection: real-time; near real-time]
[Assignment: organization-defined failover capability] for the
information
system.
The organization
implements non-persistent [Assignment:
organization-defined information system components and
services]
that areensures
initiatedthat
in asoftware
known state
and terminated
The organization
and data
employed
[Selection
(one
or
more):
upon
end
of
session
of use;
during information system component and service
refreshes
periodically
atfrom
[Assignment:
frequency]].
are
obtained
[Assignment:
trusted
The information system validates information output from
sources].
[Assignment: organization-defined software programs and/or
applications]
to ensure
the information
is consistent
with
The information
systemthat
implements
[Assignment:
organizationthe
expected
content.
defined security safeguards] to protect its memory from
unauthorized
code
execution.
The information
system
implements [Assignment: organizationdefined fail-safe procedures] when [Assignment: organizationdefined
failure conditions occur].
The organization:
Develops and disseminates an organization-wide information
security program plan that:
Provides an overview of the requirements for the security
program and a description of the security program
management
controls and and
common
controls
place or
Includes the identification
assignment
ofinroles,
planned
for
meeting
those
requirements;
among
entities,
and compliance;
Reflectsorganizational
coordination among
organizational
entities responsible
for the different aspects of information security (i.e., technical,
physical,
personnel,
cyber-physical);
and
Is approved
by a senior
official with responsibility
and
accountability for the risk being incurred to organizational
operations
mission, functions,
image,
andprogram
Reviews the(including
organization-wide
information
security
reputation),
organizational
assets,
individuals,
other
plan [Assignment: organization-defined frequency];
organizations, and the Nation;
Updates the plan to address organizational changes and
problems identified during plan implementation or security
control
andsecurity program plan from
Protectsassessments;
the information
unauthorized disclosure and modification.
The organization appoints a senior information security officer
with the mission and resources to coordinate, develop,
implement,
and maintain an organization-wide information
The organization:
security program.
Ensures that all capital planning and investment requests
include the resources needed to implement the information
security
and
documents300/Exhibit
all exceptions
to record
this
Employs program
a business
case/Exhibit
53 to
the
requirement;
resources required; and
Ensures that information security resources are available for
expenditure as planned.
The organization:
Implements a process for ensuring that plans of action and
milestones for the security program and associated
organizational
systems:
Are developed information
and maintained;
Document the remedial information security actions to
adequately respond to risk to organizational operations and
assets,
individuals,
other organizations,
and reporting
the Nation; and
Are reported
in accordance
with OMB FISMA
requirements.
Reviews plans of action and milestones for consistency with the
organizational risk management strategy and organizationwide
priorities fordevelops
risk response
actions. an inventory of its
The organization
and maintains
The organization develops, monitors, and reports on the results
of information security measures of performance.
The organization develops an enterprise architecture with
consideration for information security and the resulting risk to
organizational
operations,
assets, issues
individuals,
The organization
addressesorganizational
information security
in the
other
organizations,
and
the
Nation.
development, documentation, and updating of a critical
infrastructure
and key resources protection plan.
The organization:
Develops a comprehensive strategy to manage risk to
organizational operations and assets, individuals, other
organizations,
and
Nation associated
with
the operation
Implements the
riskthe
management
strategy
consistently
across
and
use
of
information
systems;
the organization; and
Reviews and updates the risk management strategy
[Assignment: organization-defined frequency] or as required, to
address
organizational changes.
The organization:
Manages (i.e., documents, tracks, and reports) the security
state of organizational information systems and the
environments
in which to
those
systems
through security
Designates individuals
fulfill
specificoperate
roles and
authorization
processes;
responsibilities within the organizational risk management
process;
and
Fully integrates
the security authorization processes into an
organization-wide risk management program.
The organization:
Defines mission/business processes with consideration for
information security and the resulting risk to organizational
operations,
assets, individuals,
other
Determines organizational
information protection
needs arising
from the
organizations,
and
the
Nation;
and
defined mission/business processes and revises the processes
as
until
achievablean
protection
needsprogram
are obtained.
Thenecessary,
organization
implements
insider threat
that
includes a cross-discipline insider threat incident handling
team.
The organization establishes an information security workforce

development and improvement program.
The organization:
Implements a process for ensuring that organizational plans for
conducting security testing, training, and monitoring activities
associated
withand
organizational
systems:
Are developed
maintained;information
and
Continue to be executed in a timely manner;
Reviews testing, training, and monitoring plans for consistency
with the organizational risk management strategy and
organization-wide
priorities for
risk
response actions.
The organization establishes
and
institutionalizes
contact with
selected groups and associations within the security
community:
To facilitate ongoing security education and training for
organizational personnel;
To maintain currency with recommended security practices,
techniques, and technologies; and
To share current security-related information including threats,
vulnerabilities, and incidents.
The organization implements a threat awareness program that
includes a cross-organization information-sharing capability.
SUPPLEMENTAL GUIDANCE
This control addresses the establishment of policy and
procedures for the effective implementation of selected
security controls and control enhancements in the AC family.
Policy and procedures reflect applicable federal laws, Executive
Orders, directives, regulations, policies, standards, and
guidance. Security program policies and procedures at the
organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be
included as part of the general information security policy for
organizations or conversely, can be represented by multiple
policies reflecting the complex nature of certain organizations.
The procedures can be established for the security program in
general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in
establishing policy and procedures.
Information system account types include, for example,
individual, shared, group, system, guest/anonymous,
emergency, developer/manufacturer/vendor, temporary, and
service. Some of the account management requirements listed
above can be implemented by organizational information
systems. The identification of authorized users of the
information system and the specification of access privileges
reflects the requirements in other security controls in the
security plan. Users requiring administrative privileges on
information system accounts receive additional scrutiny by
appropriate organizational personnel (e.g., system owner,
mission/business owner, or chief information security officer)
responsible for approving such accounts and privileged access.
Organizations may choose to define access privileges or other
attributes by account, by type of account, or a combination of
both. Other attributes required for authorizing access include,
for example, restrictions on time-of-day, day-of-week, and
point-of-origin. In defining other account attributes,
organizations consider system-related requirements (e.g.,
scheduled maintenance, system upgrades) and
mission/business requirements, (e.g., time zone differences,
customer requirements, remote access to support travel
requirements). Failure to consider these factors could affect
information system availability. Temporary and emergency
accounts are accounts intended for short-term use.
Organizations establish temporary accounts as a part of normal
account activation procedures when there is a need for shortterm accounts without the demand for immediacy in account
activation. Organizations establish emergency accounts in
response to crisis situations and with the need for rapid
account activation. Therefore, emergency account activation
may bypass normal account authorization processes.
Emergency and temporary accounts are not to be confused
with infrequently used accounts (e.g., local logon accounts
used for special tasks defined by organizations or when
network resources are unavailable). Such accounts remain
available and are not subject to automatic disabling or removal
dates. Conditions for disabling or deactivating accounts
The use of automated mechanisms can include, for example:

using email or text messaging to automatically notify account
managers
users are terminated
transferred;
using the
This controlwhen
enhancement
requires theorremoval
of both
information
system
to
monitor
account
usage;
and
using
temporary and emergency accounts automatically after a
telephonic
to report
atypicalrather
system
account
predefined notification
period of time
has elapsed,
than
at theusage.
convenience of the systems administrator.
In contrast to conventional access control approaches which

employ static information system accounts and predefined sets
of
user privileges,
access controlroles
approaches
Privileged
roles aredynamic
assigned(e.g.,
to
service-oriented
architectures)
rely
on
run
time
access
control
individuals that allow those individuals to perform
certain
decisions
facilitated
by dynamic
privilegeusers
management.
security-relevant
functions
that ordinary
are not While
user
identities
may
remain
relatively
constant
over
time,
authorized to perform. These privileged roles include,
for user
privileges
maymanagement,
change more account
frequently
based on ongoing
example, key
management,
network
mission/business
requirements
and
operational
needsand
of web
and system administration, database administration,
organizations.
Dynamic
privilege
management
can
include,
for
administration.
example, the immediate revocation of privileges from users, as
opposed to requiring that users terminate and restart their
sessions to reflect any changes in privileges. Dynamic privilege
Dynamic
approaches
creating
information
system
accounts
management
can alsofor
refer
to mechanisms
that
change
the
(e.g.,
as
implemented
within
service-oriented
architectures)
privileges of users based on dynamic rules as opposed to
rely
on establishing
(identities)
run time for entities
editing
specific user accounts
profiles. This
type of at
privilege
that
were
previously
unknown.
Organizations
plan
for dynamic
management includes, for example, automatic
adjustments
of
creation
system accounts
by establishing
privilegesofifinformation
users are operating
out of their
normal work trust
times,
relationships
andsystems
mechanisms
with the
appropriate
authorities
or if information
are under
duress
or in emergency
to
validate
related
authorizations
and
privileges.
maintenance situations. This control enhancement also
Organizations
can describe
includes the ancillary
effectsthe
of specific
privilegeconditions
changes, or
for example,
circumstances
under which
information
accounts can
the potential changes
to encryption
keyssystem
used for
be
used,usage
for example,
byfor
restricting
usage
to certain
of
Atypical
includes,
example,
accessing
information
communications.
Dynamic
privilege
management
candays
support
the
week,
time
of
day,
or
specific
durations
of
time.
systems
at certain
times of the
day and
from locations that are
requirements
for information
system
resiliency.
not consistent with the normal usage patterns of individuals
working in organizations.
Users posing a significant risk to organizations include

individuals for whom reliable evidence or intelligence indicates
either the intention to use authorized access to information
systems to cause harm or through whom adversaries will cause
harm. Harm includes potential adverse impacts to
organizations, or the Nation. Close coordination between
authorizing officials, information system administrators, and
Access control policies (e.g., identity-based policies, role-based

policies, control matrices, cryptography) control access
between active entities or subjects (i.e., users or processes
acting on behalf of users) and passive entities or objects (e.g.,
devices, files, records, domains) in information systems. In
Dual
authorization
mechanisms
approval
of two
addition
to enforcing
authorized require
access the
at the
information
authorized
individuals
in
order
to
execute.
Organizations
dohost
not
system level and recognizing that information systems can
require
dual
authorization
mechanisms
when
immediate
Mandatory
access control
as defined
in thisofcontrol
many applications
and services
in support
organizational
responses
are
necessary
to
ensure
public
and
environmental
enhancement
is synonymous
with nondiscretionary
access
missions and business
operations,
access enforcement
safety.
Dual
authorization
may
also
be
known
as
two-person
control,
and iscan
notalso
constrained
only at
to the
certain
historical
uses
mechanisms
be employed
application
and
control.
(e.g.,
implementations
the Bell-LaPadula
Model). The
service
level to provideusing
increased
information security.
above class of mandatory access control policies constrains
what actions subjects can take with information obtained from
data objects for which they have already been granted access,
thus preventing the subjects from passing the information to
unauthorized subjects and objects. This class of mandatory
access control policies also constrains what actions subjects
can take with respect to the propagation of access control
privileges; that is, a subject with a privilege cannot pass that
privilege to other subjects. The policy is uniformly enforced
over all subjects and objects to which the information system
has control. Otherwise, the access control policy can be
circumvented. This enforcement typically is provided via an
implementation that meets the reference monitor concept (see
AC-25). The policy is bounded by the information system
boundary (i.e., once the information is passed outside of the
control of the system, additional means may be required to
ensure that the constraints on the information remain in
When
access control
policies
areare
implemented,
effect).discretionary
The trusted subjects
described
above
granted
subjects
not constrained
regard
what
actions(see
they
privilegesare
consistent
with thewith
concept
of to
least
privilege
can
take
with information
which
they
already
been
AC-6).
Trusted
subjects arefor
only
given
thehave
minimum
privileges
granted
access.
Thus,policy
subjects
that have
granted access
relative to
the above
necessary
for been
satisfying
to
information are
not preventedneeds.
from passing
(i.e., is
the
organizational
mission/business
The control
most
subjects
have
thethere
discretion
to policy
pass) the
information
to other
applicable
when
is some
mandate
(e.g., law,
subjects
objects.
This control
enhancement
can operatea in
ExecutiveorOrder,
directive,
or regulation)
that establishes
conjunction
with
AC-3
(3).
A
subject
that
is
constrained
in its
policy regarding access to sensitive/classified information
and
operation
byofpolicies
governedsystem
by AC-3are
(3)not
is still
able to
some users
the information
authorized
operate
the less rigorous constraints
this control
access tounder
all sensitive/classified
informationof
resident
in the
enhancement.
Thus, This
while
AC-3 (3)
information system.
control
canimposes
operateconstraints
in conjunction
preventing
a subject
from
passing
information
to operation
another by
with AC-3 (4).
A subject
that
is constrained
in its
subject
operating
at
a
different
sensitivity
level,
AC-3
policies governed by this control is still able to operate(4)
under
permits
subject
to pass the
information
any subject
at
the less the
rigorous
constraints
of AC-3
(4), butto
policies
governed
Security-relevant
information
any
within
the
same
sensitivity
level. Theispolicy
is bounded
by the
by this
control
take
precedence
overinformation
the
less rigorous
information
systems
that
can
potentially
impact
the is
operation
system
boundary.
Once the
information
passed
constraints of
AC-3 (4).
For
example,
while
a mandatory
access
of
security
functions
or
the
provision
of
security
services
in a
outside
of
the
control
of
the
information
system,
additional
control policy imposes a constraint preventing a subject from
manner
that
could
result
in
failure
to
enforce
system
security
means
be required
to ensure
that the
constraints
remain
passingmay
information
to another
subject
operating
at a different
policies
maintain
the
of
code
and
data.
Securityin
effect.orWhile
the
older,
more traditional
definitions
of
sensitivity
label,
AC-3
(4)isolation
permits
the
subject
to pass
the
Role-based
access
control
(RBAC)
is identity-based
an access
control
policy
relevant
information
includes,
for
example,
filtering
rules
discretionary
control
require
access
information
toaccess
any subject
with
the
same sensitivity
label for
as
that
restricts
information
system
access
to
authorized
users.
routers/firewalls,
cryptographic
key
management
information,
control,
that
limitation
is
not
required
for
this
use
of
the subject.
Organizations
can create
rolesbased
basedon
onand
jobtypes
functions
Revocation
ofaccess
access
rulesspecific
may
differ
the
of
configuration
parameters
for
security
services,
access
discretionary
control.
and
the
authorizations
(i.e.,
privileges)
to
perform
needed
access
For example,
if a subject
user
or process)
control revoked.
lists. Secure,
non-operable
system(i.e.,
states
include
the
operations
on
organizational
information
systems
associated
is
removed
from
a group, access
may
not
beperforming
revoked
until the
times
in which
information
systems
are
not
with
the
When
users
are
next
timeorganization-defined
the object (e.g.,processing
file)roles.
is opened
until
theassigned
next
timeto
mission/business-related
(e.g.,or
the
system
is off-line
the
organizational
roles,
they
inherit
the
authorizations
or
the
subject attempts
a new accessboot-up,
to the object.
Revocation
for maintenance,
troubleshooting,
shut down).
privileges
defined for
those roles.
RBAC
privilege
based on changes
to security
labels
maysimplifies
take effect
administration
for organizations
becausealternative
privileges approaches
are not
immediately. Organizations
can provide
assigned
directly
to
every
user
(which
can
be
a
significant
on how to make revocations immediate if information systems
Information systems can only protect organizational

information within the confines of established system
boundaries. Additional security safeguards may be needed to
ensure that such information is adequately protected once it is
passed beyond the established information system boundaries.
Examples of information leaving the system boundary include
transmitting information to an external information system or
printing the information on one of its printers. In cases where
the information system is unable to make a determination of
the
adequacy
of the
protections
provided
by entities outside
its
Information
flow
control
regulates
where information
is allowed
boundary,
as
a
mitigating
control,
organizations
determine
to travel within an information system and between
procedurally
whether(as
theopposed
externalto
information
systems
are
information
systems
who is allowed
tosecurity
access
Information
flow
enforcement
mechanisms
compare
providing
adequate
The
means
used to
determine the
the
information)
andsecurity.
without
explicit
regard
subsequent
attributes
associated
withprovided
information
(data to
content
and data
adequacy
of
the
security
by
external
information
accesses
to
that
information. Flowobjects,
control and
restrictions
include,
structure)
and
source/destination
respond
Within
information
protected
processing
domains
are
systems
include,
forsystems,
example,
conducting
inspections
or being
for
example,
keeping
export-controlled
information
from
appropriately
(e.g.,
block,
quarantine,
alert
administrator)
processing
spaces
that
have
controlled
interactions
with
other
periodic
testing,
establishing
agreements
between
the
transmitted
in the clearencounter
to the Internet,
blocking
outside
traffic
when
the mechanisms
information
flows
not flows
processing
spaces,
thus
enabling
control
ofinformation
information
organization
and
its
counterpart
organizations,
or some
other
Organizational
policies
regarding
dynamic
flow
that
claims
to
be
from
within
the
organization,
restricting
web
explicitly
allowed
by used
information
flow
policies.
For
example,
an
between
these
spaces
and
to/from
data/information
objects.
A
process.
The
means
by
external
entities
to
protect
the
control
include,
for
example,
allowing
or
disallowing
requests
to
the
Internet
that
are
not
from
the
internal
web
information
object
labeled
Secret
would
be
allowed
to
flow
to
protected
processing
domain
can
for
information
received
need
not
be be
theprovided,
same
as those
used bybya
information
flows
oninformation
changing
conditions
orexample,
proxy
server,
and based
limiting
transfers
between
destination
object
labeled
Secret,
but
an
information
object
implementing
domain
and
type
enforcement.
In
domain
and
the
organization,
butconsiderations.
the
means
employed
are
sufficient
to
mission/operational
Changing
conditions
organizations
based
on
data
structures
and
content.
labeled
Top
Secret
would
not
be
allowed
to
flow
to
a
destination
type
enforcement,
information
system
processes
are
assigned
provide
consistent
adjudication
of
the
security
policy
to
protect
include,
for example,
changes
in
organizational
risk
tolerance
Transferring
information
between
information
systems
object
labeled
Secret.
Security
attributes
can
also
include,
for
Embedding
data
types
within
other
data
types
may
result
in
to
domains;
information
is
identified
by
types;
and
information
the
information.
This
control
enhancement
requires
information
due
to
changes
in
the
immediacy
of
mission/business
needs,
representing
different
security
domains
with
different
security
example,
source
and
destination
addresses
employed
in traffic
reduced
flow
control
effectiveness.
Data
type
embedding
flows
areintroduces
controlled
based
allowed
information
accesses
systems
to
employ
technical
or
procedural
means
to potentially
validate
changes
in
the
threat
environment,
and
detection
of
policies
risk
thaton
such
transfers
violate
one
or more
filter
firewalls.
Flow
enforcement
using
explicit
security
includes,
for
example,
executable
files
as objects
(determined
by domain
and
type),
signaling
among
the
information
prior
toinserting
releasing
itallowed
to external
systems.
For of
Metadata
is
information
used
to
describe
the
characteristics
harmful
or
adverse
events.
domain
security
policies.
In
such
situations,
information
attributes
can
be
used,process
for example,
toreferences
control
theor
release
of
within
word
processing
files,
inserting
descriptive
domains,
and
allowed
transitions
to
other
domains.
example,
if
the
information
system
passes
information
to
data.
Metadata
can
include
structural
metadata describing
data
owners/stewards
provide
guidance
at designated
policy
certain
types
of
information.
information
into
a media
file,
and
compressed
or archived
data
another
system
controlled
by interconnected
another
organization,
technical
structures
(e.g.,
data
format,
syntax,
and
semantics)
or
enforcement
points
between
systems.
types
that
include
multiple
data(e.g.,
types.
means
are may
employed
to
validate embedded
that
the
security
attributes
descriptive
metadata
describing
data
contents
age,
Organizations
consider
mandating
specific
architectural
Limitations
on
data
type
embedding
consider
the
levels
offor
associated
with
the
exported
information
are
appropriate
location,
number).
Enforcing
allowed
information
solutions telephone
when required
to enforce
specific
security
policies.
Organization-defined
security
policy
filters
can
address
data
embedding
and
prohibit
levels
of
data
type
embedding
that
the
receiving
system.
Alternatively,
if
the
information
system
flows
based on
metadata
simpler
and more
effectiveare
Enforcement
includes,
for enables
example:
(i) prohibiting
information
structures
and
content.
For
example,
security
policy
filters
beyond
the
capability
of
the
inspection
tools.
passes
information
to
a
printer
in
flow
control.
Organizations
consider
the trustworthiness
of for
transfers
between
interconnected
systems
(i.e., allowing
data
structures
can
check
for
maximum
file
lengths,
maximum
space,
means
can
be
employed
toknowledge
ensure
only
Organizations
define
security
policy
filters
for
all
situations
metadata
with(ii)
regard
to data
accuracy
(i.e.,
that
access procedural
only);
employing
hardware
mechanisms
to that
enforce
field
sizes,
and
data/file
types
(for
structured
and
unstructured
appropriately
authorized
individuals
gain
access
to
the
printer.
where
automated
flow
control
are possible.
Whendata
a
the
metadata
values
are
correct
with
respect
to the
data),
one-way
information
flows;
anddecisions
(iii)
implementing
trustworthy
data).
Security
policy
filters
data
content
can
check
for
This
control
enhancement
isfor
most
applicable
when
there
isa
fully
automated
flow
control
decision
is
not
possible,
then
integrity
(i.e.,
protecting
against
unauthorized
changes
to
regrading
mechanisms
to
reassign
security
attributes
and
For
example,
as
allowed
by the information
system
specific
words
(e.g.,
dirty/clean
word
filters),
some
policy
mandate
(e.g.,
law,
Executive
Order,
directive,
or
human
review
may
employed
in
lieu
of,
orenumerated
as the
ainformation
complement
metadata
tags),
andbe
the
binding
of
metadata
to
datafilters
security
labels.
Organizations
commonly
employ
authorization,
administrators
can
enable
security
policy
values
or
data
value
ranges,
and
hidden
content.
Structured
regulation)
that
establishes
policy
regarding
access
to
the
to,
automated
security
policy
filtering.
Human
reviews
may
payload
(i.e.,policies
ensuring
sufficiently
strong
binding
techniques
flow
control
and
enforcement
mechanisms
to control
to
accommodate
approved
data
types.
For
example,
to
reflect
changes
in
security
policies,
data
permits
the
interpretation
of
data
content
by
applications.
information,
and
that
policy
applies
beyond
the
realm
of
also
be
employed
as
deemed
necessary
by
organizations.
with
appropriate
levels between
of assurance).
the flow
of information
designated sources and a
administrators
can
change
the
list
of digital
dirty
words
that
Unstructured
data
typically
refers
to
information
without
particular
information
system
or
organization.
destinations (e.g., networks, individuals,
and
devices)
within
security
policy
mechanisms
check
in
accordance
with
the
a
particular
data
structure
or
with
a
data
structure
that
does
Data
type identifiers
include,
for example,
filenames,
file types,
information
systems and
between
interconnected
systems.
definitions
by
organizations.
not
facilitate
the
development
of rule
sets toof
address
the
file
and
internal
file
Flowsignatures/tokens,
controlprovided
is
based
on
themultiple
characteristics
the information
particular
of path.
the information
conveyed
by
the
data
signatures/tokens.
Information
systems
may
allow
transfer
of
and/orenforcement
thesensitivity
information
Enforcement
occurs,
for
example,
Policy
mechanisms
apply
filtering,
inspection,
or
the
associated
flow
enforcement
decisions.
Unstructured
data
only
if
compliant
with
data
type
format
specifications.
in
boundary
protection
devices
(e.g., gateways,subcomponents
routers,
and/or
sanitization
rules
to objects
the policy-relevant
data
consists
of: (i)tunnels,
bitmap
that
are
inherently
guards,
encrypted
firewalls)
that
employ
rule non
sets or
of
information
facilitate
flow
enforcement
prior
Data
structure to
and
content
restrictions
reduce
theto
range
of
language-based
(i.e.,
image,
video,
or
audio
files);
and (ii)
establish
configuration
settings
that
restrict
information
system
transferring
such
information
to
different
security
potential
malicious
and/or
unsanctioned
content
indomains.
crosstextual
objects
that
are
based
on
written
or
printed
languages
services,
providefiles
a packet-filtering
capability
based
on header
Parsing
transfer
facilitates
policy
decisions
on
source,
domain
transactions.
Security
policy
filters
that documents,
restrict
data
(e.g.,
commercial
off-the-shelf
word
processing
Detection
of
unsanctioned
information
includes,
for
example,
information, certificates,
or message-filtering
capability
based onand
message
destination,
classification,
attachments,
other
structures
include,
for
example,
restricting
file
sizes
and
field
spreadsheets,
or emails).toOrganizations
can
implement
more
checking
all
information
be
transferred
for
malicious
code
content
(e.g.,
implementing
key
word
searches
or
using
security-related
component
differentiators.
lengths.
content
policy
filters
include,
for example:
(i)
than
oneData
security
policy
filter
to meet
information
flow control
and
dirty
words.
document
characteristics).
Organizations
also consider
the
encoding
formats
for character
sets
(e.g.,
Universal
Character
objectives
(e.g.,
employing
clean
word
lists
in
conjunction
trustworthiness of filtering/inspection mechanisms (i.e., with
Set
Transformation
American
Standard
Code for
dirty
word firmware,
lists mayFormats,
help
to reduce
false
positives).
hardware,
and software
components)
that are critical
Attribution
a critical component
of a security
concept
of
InformationisInterchange);
(ii) restricting
character
data fields
to
to information flow enforcement. Control enhancements 3
operations.
ability to identify
source(iii)
and
destination
points
only containThe
alpha-numeric
characters;
prohibiting
special
through 22 primarily address cross-domain solution needs
for
information
in information
allows the
characters;
andflowing
(iv) validating
schemasystems,
structures.
which focus on more advanced filtering techniques, in-depth
forensic reconstruction of events when required, and
analysis, and stronger flow enforcement mechanisms
encourages policy compliance by attributing policy violations to
implemented in cross-domain products, for example, highspecific organizations/individuals. Successful domain
assurance guards. Such capabilities are generally not available
authentication requires that information system labels
in commercial off-the-shelf information technology products.
distinguish among systems, organizations, and individuals
Binding techniques implemented by information systems affect

the strength of security attribute binding to information.
Binding
strength
and the assurance
associated
with
binding
This control
enhancement
requires the
validation
of metadata
techniques
play
an important
part inapplies.
the trustSome
organizations
and the data
to which
the metadata
have
in
the
information
flow
enforcement
process.
Thepayloads
binding
organizations
distinguish
between
metadata
and
data
Organizations
define
approved
solutions
and
configurations
in
techniques
affect
the
number
and
degree
of
additional
reviews
(i.e.,
only the data
to which
the metadata
is bound).
Other
cross-domain
policies
and
guidance
in
accordance
with
the
required
by organizations.
organizations
do not flows
makeacross
such distinctions,
considering
types
of information
classification
boundaries.
The
Enforcing
the
separation
ofwhich
information
flows by
type can
metadata
and
the
data
to
the
metadata
applies
as
part
Unified
Cross
Domain
(UCDMO)
provides a
enhance
protection
byManagement
ensuring(including
thatOffice
information
is not
of
the payload.
All
information
metadata
and the
baseline
listing
of
approved
cross-domain
solutions.
commingled
in transit
and by enabling
flow
control by
The
for example,
a desktop
for
datainformation
to whichwhile
thesystem,
metadata
applies)
isprovides
subject
to
filtering
and
transmission
paths
perhaps
not
otherwise
achievable.
Types of
users
to access each connected security domain without
inspection.
separable
information
include,
for example,
and
providing
any
mechanisms
to allow
transfer inbound
of
Separation
of duties
addresses
theservice
potential
forinformation
abuse
of
outbound
communications
traffic,
requests
and
between
the
different
security
domains.
authorized
and helps
to reduce
the risk
of
responses, privileges
and information
of differing
security
categories.
malevolent activity without collusion. Separation of duties
includes, for example: (i) dividing mission functions and
information system support functions among different
individuals and/or roles; (ii) conducting information system
support functions with different individuals (e.g., system
management, programming, configuration management,
quality assurance and testing, and network security); and (iii)
ensuring
security
personnel
administering
accessduties
control
Organizations
employ
least privilege
for specific
and
functions
do
not
also
administer
audit
functions.
information systems. The principle of least privilege is also
applied
information
system
processes,establishing
ensuring that
the
Securityto
functions
include,
for example,
system
processes
operate
at
privilege
levels
no
higher
than
necessary
accounts, configuring access authorizations (i.e., permissions,
to
accomplish
required
organizational
missions/business
privileges),
setting
events
to be audited,
and
setting
intrusion
This
control
enhancement
limits
exposure
when
from
functions.
Organizations
consider
the
creation
ofoperating
additional
detection
parameters.
Security-relevant
information
includes,
within
privileged
accounts
or roles.
The inclusion
ofas
roles
processes,
roles,
and
information
system
accounts
for
example,
filtering
rules
for
routers/firewalls,
cryptographic
addresses
situations
where
organizations
implement
access
Network
access
is information,
any least
access
across
aOrganizations
network
connection
necessary,
to achieve
privilege.
also
apply
key
management
configuration
parameters
forina
control
policies
such
as
role-based
access
control
and
where
lieu
of
local
access
(i.e.,
user
being
physically
present
at
the
least
privilege
to
the
development,
implementation,
and
security
services,
and access
control
lists.of
Explicitly
authorized
change
of
role
provides
the information
same
degree
assurance
in the
device).
operation
of
organizational
systems.
Providing
processing
finer-grained
personnel
include,
for
example,domains
security
administrators,
change ofseparate
for bothfor
the
user and allsystem
allocation
of
user
privileges
includes,
for
using
and
network
administrators,
system
security
officers,
systemby
processes
acting
on
behalf of
the user
as example:
would
be (i)
provided
virtualization
techniques
to
allow
additional
privileges
maintenance
personnel,
system
programmers,
and
other
Privileged
accounts,a including
user accounts,account.
arewithin a
a change between
privilegedsuper
and non-privileged
virtual
machine
while
restricting
privileges
to
other
virtual
privileged
users.
typically described as system administrator for various types of
machines
oroff-the-shelf
to the underlying
actual
machine;
(ii) employing
commercial
operating
systems.
Restricting
hardware
and/or
software
domain
separation
mechanisms;
and
privileged accounts to specific personnel or roles prevents day(iii)
implementing
separate
physical
domains.
to-day
users from having
access
to privileged
The
need
for
certain
assigned
user
privileges
may change
over
information/functions. Organizations may differentiate
in the
time
reflecting
changes
in
organizational
missions/business
application of this control enhancement between allowed
function,
of operation,
technologies,
or threat.
privilegesenvironments
for local accounts
and for domain
accounts
provided
Periodic
review
of
assigned
user
privileges
is
necessary
to
organizations retain the ability to control information system
determine
if the
for assigning
such
privileges
remains
configurations
forrationale
key security
parameters
and
as otherwise
valid.
If
the
need
cannot
be
revalidated,
organizations
take
necessary to sufficiently mitigate risk.
appropriate corrective actions.
In certain situations, software applications/programs need to
execute with elevated privileges to perform required functions.
However,
if the privileges
required
forintentionally
execution are
Misuse of privileged
functions,
either
or at a higher
level
than
the
privileges
assigned
to
organizational
users
unintentionally by authorized users, or by unauthorized
invoking
such
applications/programs,
those
users
are
indirectly
external
entities
thatinclude,
have compromised
information
system
Privileged
functions
for example,
establishing
provided
with
greater
privileges
than
assigned
by
accounts,
is system
a serious
and ongoing
concern
and can
have
information
accounts,
performing
system
integrity
organizations.
significant
adverse impacts
on organizations.
Auditing the use
checks, or administering
cryptographic
key management
of
privileged
functions
is
one
way
to
detect
such
misuse,
activities. Non-privileged users are individuals that
do notand in
doing
so,
help
mitigate
the
risk
from
insider
threats
and the
possess appropriate authorizations. Circumventing intrusion
advanced
persistent
threat
(APT).
detection and prevention mechanisms or malicious code
protection mechanisms are examples of privileged functions
that require protection from non-privileged users.
This control applies regardless of whether the logon occurs via

a local or network connection. Due to the potential for denial of
service, automatic lockouts initiated by information systems
are usually temporary and automatically release after a
predetermined time period established by organizations. If a
delay algorithm is selected, organizations may choose to
employ different algorithms for different information system
components based on the capabilities of those components.
Responses to unsuccessful logon attempts may be
implemented
at both the operating
system
and the
application
This control enhancement
applies only
to mobile
devices
for
levels.
which a logon occurs (e.g., personal digital assistants, smart
phones,
tablets).
The logon
to implemented
the mobile device,
to any
System use
notifications
canisbe
using not
messages
one
account
on
the
device.
Therefore,
successful
logons
or warning banners displayed before individuals log in toto any
accounts
on systems.
mobile devices
the unsuccessful
logononly
count
information
Systemreset
use notifications
are used
for
to
zero.
Organizations
define
information
to
be
purged/wiped
access via logon interfaces with human users and are not
carefully
in order
to avoid
purging/wiping
which may
required when
such
humanover
interfaces
do not exist.
result
in
devices
becoming
unusable.
Purging/wiping
may be
Organizations consider system use notification
unnecessary
if the information
the device
is protected
messages/banners
displayed inon
multiple
languages
based with
on
sufficiently
strong
encryption
mechanisms.
specific organizational needs and the demographics of
information system users. Organizations also consult with the
Office of the General Counsel for legal review and approval of
warning banner content.
This control is applicable to logons to information systems via

human user interfaces and logons to systems that occur in
other types of architectures (e.g., service-oriented
architectures).
This control enhancement permits organizations to specify

additional information to be provided to users upon logon
including,
for example,
thethe
location
of last
logon. of
User
location
Organizations
may define
maximum
number
concurrent
is
defined
as
that
information
which
can
be
determined
by
sessions for information system accounts globally, by account
information
systems, user,
for example,
IP addresses
from which
type (e.g., privileged
non-privileged
user, domain,
network
logons
occurred,
device
identifiers,
or
notifications
of
specific application), by account, or a combination. For
local
logons.
example, organizations may limit the number of concurrent
sessions for system administrators or individuals working in
particularly sensitive domains or mission-critical applications.
This control addresses concurrent sessions for information
Session locks are temporary actions taken when users stop

work and move away from the immediate vicinity of
information systems but do not want to log out because of the
temporary nature of their absences. Session locks are
implemented where session activities can be determined. This
is typically at the operating system level, but can also be at the
application level. Session locks are not an acceptable
Publicly
viewable
images
include static
or dynamic
images,
substitute
for logging
out can
of information
systems,
for example,
for
example, patterns
with
screen
photographic
if organizations
requireused
users
to log
out savers,
at the end
of workdays.
images,
solid
colors,
clock,
battery
life
indicator,
or
a blank
This control addresses the termination of user-initiated
logical
screen,
with
the
additional
caveat
that
none
of
the
images
sessions in contrast to SC-10 which addresses the termination
convey
sensitive
information.are associated with
of
network
connections
Information
resources tothat
which users gain access via
communications
sessions
network
disconnect).
A logical
authentication include, for(i.e.,
example,
local
workstations,
session
(forand
local,
network, and remote
access) is initiated
databases,
password-protected
websites/web-based
whenever
a
user
(or
process
acting
on
behalf
of afor
user)
services. Logout messages for web page access,
example,
accesses
an
organizational
information
system.
Such
user
can be displayed after authenticated sessions have been
sessions
can
be
terminated
(and
thus
terminate
user
access)
terminated. However, for some types of interactive sessions
without
terminating
network
sessions.
Session
termination
including,
for example,
file transfer
protocol
(FTP)
sessions,
terminates
all
processes
associated
with
a
users
information systems typically send logout messages logical
as final
session
except
processessessions.
that are specifically created by
messages
priorthose
to terminating
the user (i.e., session owner) to continue after the session is
This
control addresses
whichrequiring
organizations
terminated.
Conditionssituations
or trigger in
events
automatic
determine
that no identification
is required in
session termination
can include, or
forauthentication
example, organizationorganizational
systems.
Organizations
may
a
defined periodsinformation
of user inactivity,
targeted
responses
toallow
certain
limited
number
of
user
actions
without
identification
or
types of incidents, time-of-day restrictions on information
authentication
including, for example, when individuals access
system use.
public websites or other publicly accessible federal information
systems, when individuals use mobile phones to receive calls,
or when facsimiles are received. Organizations also identify
actions that normally require identification or authentication
but may under certain circumstances (e.g., emergencies), allow
identification or authentication mechanisms to be bypassed.
Such bypasses may occur, for example, via a software-readable
Information
is represented
internally
within
information
physical switch
that commands
bypass
of the
logon
systems
using
abstractions
known
as
data
structures.
Internal
functionality and is protected from accidental or unmonitored
data
structures
can
represent
different
types
of
entities,
both
use. This control does not apply to situations where
active
and
passive.
Active
entities,
also
known
as
subjects,
identification and authentication have already occurred andare
are
typically
associated
with to
individuals,
or processesand
not repeated,
but rather
situationsdevices,
where identification
acting
on behalf
of individuals.
PassiveOrganizations
entities, also known
authentication
have
not yet occurred.
may as
objects,
are
typically
associated
with
data
structures
such ason
decide that there are no user actions that can be performed
records,
buffers,
tables,
files,
inter-process
pipes,
and
organizational information systems without identification and
communications
ports.
Security
attributes,
a form ofstatements
metadata,
authentication and
thus,
the values
for assignment
are
abstractions
representing
the
basic
properties
or
can be none.
characteristics of active and passive entities with respect to
safeguarding information. These attributes may be associated
Dynamic
association
of security
attributes
is the
appropriate
with active
entities (i.e.,
subjects)
that have
potential to
whenever
the
security
characteristics
of
information
changes
send or receive information, to cause information to flow
over
time.
Security
attributes
may
change,
for
example,
The
content
or assigned
values
security attributes
candue to
among
objects,
or to change
theofinformation
system state.
information
aggregation
issues
(i.e.,
the
security
characteristics
directly
affect themay
ability
individuals
towith
access
organizational
These attributes
alsoofbe
associated
passive
entities
of
individual
information
elements
are
different
from
the
information.
Therefore,
it
is
important
for
information
systems
(i.e.,
objects)
that
contain
or
receive
information.
The
Maintaining
the association
and
integrity
of access
security attributes
combined
elements),
changes
increate
individual
to
be
able
to
limit
the
ability
to
or
modify
association
of
security
attributes
to
subjects
and security
objects
to
subjects and(i.e.,
objects
with sufficient
assurance
helps
tois
authorizations
privileges),
and
changes
in of
the
security
attributes
to
authorized
individuals.
referred
to
as
binding
and
is
typically
inclusive
setting
ensure
that
the attribute associations can be used as the the
basis
category
of information.
attribute
value
and the
attribute
type. Security
attributes
when
of automated policy
actions.
Automated
policy actions
include,
bound
to
data/information,
enables
the
enforcement
of
for example, access control decisions or information flow
information
security policies for access control and information
control
decisions.
flow control, either through organizational processes or
information system functions or mechanisms. The content or
The support provided by information systems can vary to

include: (i) prompting users to select specific security attributes
to
be associated
with
specific
information
objects;pages,
(ii)
Information
system
outputs
include,
for example,
employing
for categorizing
information
screens, or automated
equivalent.mechanisms
Information system
output devices
with
appropriate
attributes
based
on
defined
policies;
or (iii)
include,
for example,
printers
and video
displays
on(as
computer
This
control
enhancement
requires
individual
users
opposed
ensuring
that
the
combination
of
selected
security
attributes
workstations,
notebook
computers,
andassociations
personal digital
to
the
information
system)
to
maintain
of
security
selected
is valid. Organizations consider the creation, deletion,
assistants.
attributes
subjects
and
objects.across
In
towith
enforce
security
policies
or order
modification
of security
attributes
when multiple
defining auditable
components
in distributed information systems (e.g.,
events.
distributed
database
management
systems,
cloud-based
The association (i.e., binding)
of security
attributes
to
systems,
and
service-oriented
architectures),
organizations
information within information systems is of significant
provide
a consistent
interpretation
of security
attributes
importance
with regard
to conducting
automated
access that
Validated
re-grading
mechanisms
areflow
employed
by
are
used
in
access
enforcement
and
enforcement
enforcement
and
flow enforcement
actions.
association
organizations
to provide
the
requisite
levels The
of assurance
forof
decisions.
Organizations
establish
agreements
and
processes
such
security
attributes
can be accomplished
with
security
attribute
reassignment
activities.
The
validation
The
content
or all
assigned
values
of
security
attributes
can is
to
ensure
that
distributed
information
system
components
technologies/techniques
providing
different
levels
ofare
assurance.
facilitated
by
ensuring
that
re-grading
mechanisms
singlein
directly
affect
the ability
of
individuals
to access
organizational
implement
security
attributes
withcan
consistent
interpretations
For
example,
information
systems
cryptographically
bind
purpose
and
of
limited
function.
Since
security
attribute
information.
Therefore,
it to
is organizational
important
for
information
systems
automated
access/flow
enforcement
actions.
Remote
access
is
access
information
systems
security
attributes
to
information
using
digital
signatures
with
reassignments
canthe
affect
security
policy
enforcement
actions
to
be
able
to
limit
ability
to
create
or
modify
security
by
users
(or processes
acting keys
on
behalf
of users)
the
supporting
cryptographic
protected
by hardware
(e.g.,
access/flow
enforcement
decisions),
using
trustworthy reattributes
to authorized
individuals
only. roots
communicating
through
external
networks
(e.g.,
the
devices
(sometimes
known
as
hardware
of trust).
grading mechanisms is necessary to ensure that
suchInternet).
Remote
access
methods
include,
for
example,
dial-up,
mechanisms perform in a consistent/correct mode of operation.
broadband, and wireless. Organizations often employ
encrypted virtual private networks (VPNs) to enhance
confidentiality and integrity over remote connections. The use
Automated
of remote
sessions
of encryptedmonitoring
VPNs doesand
notcontrol
make the
access access
non-remote;
allows
organizations
to detect
cyber
attacks and
also ensure
however,
the use of VPNs,
when
adequately
provisioned
with
ongoing
compliance
with
remote
access
policies
by
auditing
appropriate
security
controls
(e.g.,
employing
appropriate
The encryption strength of mechanism is selected based on the
connection
activities offor
remote
users on aand
variety
of
encryption
techniques
confidentiality
integrity
security categorization
of
the
information.
information
system
components
servers,
protection) may
provide
sufficient(e.g.,
assurance
to workstations,
the
Limiting
the
number
of
access
control
points
for
remote as
notebook
computers,
smart
phones,
and
tablets).
organization
that it can
effectively
treat
such
connections
accesses
reduces
the
attack
surface
for
organizations.
internal networks. Still, VPN connections traverse external
Organizations
the Trusted
Internet
Connections
networks, and consider
the encrypted
VPN does
not enhance
the (TIC)
initiative
requirements
for
external
network
connections.
availability of remote connections. Also, VPNs with encrypted
tunnels can affect the organizational capability to adequately
monitor network communications traffic for malicious code.
Remote access controls apply to information systems other
than public web servers or systems designed for public access.
This control addresses authorization prior to allowing remote
access without specifying the formats for such authorization.
While organizations may use interconnection security
agreements to authorize remote access connections, such
agreements are not required by this control. Enforcing access
restrictions for remote connections is addressed in AC-3.
This control enhancement requires organizations to have the

capability to rapidly disconnect current users remotely
accessing
the information
system
and/or disable
further packet
remote
Wireless technologies
include,
for example,
microwave,
access.
The
speed
of
disconnect
or
disablement
varies
based
radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks
on
criticality of protocols
missions/business
functions
andwhich
the need to
usethe
authentication
(e.g., EAP/TLS,
PEAP),
eliminate
immediate
or
future
remote
access
to
organizational
provide credential protection and mutual authentication.
Organizational authorizations to allow selected users to

configure wireless networking capability are enforced in part,
by
the access
enforcement
mechanisms
employed
Actions
that may
be taken by
organizations
to limit within
organizational
information
systems.
unauthorized use of wireless communications outside of
boundaries
include,
example:
(i)form
A mobile device is a computing
device
that: for
(i) has
a small
reducing
the
power
of
wireless
transmissions
so
that
the
factor such that it can easily be carried by a single individual;
transmissions
less likely
to emit
a signal that
can be used
(ii) is designedare
to operate
without
a physical
connection
(e.g.,
by
adversaries
outside
of
the
physical
perimeters
of
wirelessly transmit or receive information); (iii) possesses
local,
organizations;
suchand
as TEMPEST
to a
non-removable(ii)
or employing
removable measures
data storage;
(iv) includes
control
wirelesspower
emanations;
(iii)devices
using directional/beam
self-contained
source. and
Mobile
may also include
forming
antennas
that
reduce
the
likelihood
that
unintended
voice communication capabilities, on-board sensors
that allow
receivers
will
be
able
to
intercept
signals.
Prior
to
taking such
the device to capture information, and/or built-in features
for
actions,
organizations
can
conduct
periodic
wireless
surveys to
synchronizing
local data
with
remote
locations.
Examples
understand
the
radio frequency
of organizational
include smart
phones,
E-readers,profile
and tablets.
Mobile devices
information
systems
as
well
as
other
systems
are typically associated with a single individualthat
andmay
the be
device
operating
in
the
area.
is usually in close proximity to the individual; however, the
degree of proximity can vary depending upon on the form
factor and size of the device. The processing, storage, and
transmission capability of the mobile device may be
comparable to or merely a subset of desktop systems,
depending upon the nature and intended purpose of the
device. Due to the large variety of mobile devices with different
technical characteristics and capabilities, organizational
restrictions may vary for the different classes/types of such
devices. Usage restrictions and specific implementation
guidance for mobile devices include, for example, configuration
management, device identification and authentication,
implementation of mandatory protective software (e.g.,
malicious code detection, firewall), scanning devices for
malicious code, updating virus protection software, scanning
for critical software updates and patches, conducting primary
operating system (and possibly other resident software)
integrity checks, and disabling unnecessary hardware (e.g.,
wireless, infrared). Organizations are cautioned that the need
to provide adequate security for mobile devices goes beyond
the requirements in this control. Many safeguards and
countermeasures for mobile devices are reflected in other
Container-based encryption provides a more fine-grained
security controls in the catalog allocated in the initial control
approach to the encryption of data/information on mobile
baselines as starting points for the development of security
devices, including for example, encrypting selected data
plans and overlays using the tailoring process. There may also
structures such as files, records, or fields.
be some degree of overlap in the requirements articulated by
the security controls within the different families of controls.
AC-20 addresses mobile devices that are not organizationcontrolled.
External information systems are information systems or

components of information systems that are outside of the
authorization boundary established by organizations and for
which organizations typically have no direct supervision and
authority over the application of required security controls or
the assessment of control effectiveness. External information
systems include, for example: (i) personally owned information
This
control enhancement
recognizes
that there
arephones,
systems/devices
(e.g., notebook
computers,
smart
circumstances
where
individuals
using
tablets, personal
digital
assistants);
(ii) external
privatelyinformation
owned
systems
(e.g.,
coalition
partners)
need
access
computing
andcontractors,
communications
devices
resident
in to
commercial
organizational
information
systems.
those situations,
or public facilities
(e.g., hotels,
train In
stations,
convention
organizations
needmalls,
confidence
that the
information
centers, shopping
or airports);
(iii)external
information
systems
systems
contain
the
necessary
security
safeguards
(i.e.,
owned or controlled by nonfederal governmental organizations;
security
controls),
so as not systems
to compromise,
or by,
and (iv) federal
information
that aredamage,
not owned
Limits
on by,
the
use
of organization-controlled
portable
storage
otherwise
harm
organizational
information
Verification
operated
or
under
the direct
supervisionsystems.
and authority
of
devices
external
information
systems
include,
that
the in
required
security
controls
have been
can
organizations.
This
control
also addresses
the implemented
usefor
of example,
external
complete
prohibition
of
the
use
of
such
devices
or
restrictions
be
achieved,
for
example,
by
third-party,
independent
information
systems
for
the
processing,
storage,
or
Non-organizationally owned devices include devices owned by
on
how
the devices
may
used
and
under
whatcontractors)
conditions
assessments,
attestations,
or
other
means,
depending
on the
transmission
of
organizational
information,
including,
for
other
organizations
(e.g.,be
federal/state
agencies,
the
devices
may
be
used.
confidence
level
required
by
organizations.
example,
accessing
cloud
services
(e.g.,
infrastructure
a
and
personally
owned
devices.
Thereinare
risks to
using as
nonNetwork
accessible
storage
devices
external
information
service,
platform
as
a
service,
or
software
as
a
service)
from
organizationally
owned
devices.
In some
cases,
the risk
systems
include,
for example,
online
storage
devices
in is
public,
organizational
information
systems.
For
some
external
sufficiently
high
as
to
prohibit
such
use.
In
other
cases,
it may
hybrid,
or
community
cloud-based
systems.
This
control
applies
thatsystems
may be
restricted
in is
information
information
operated
by
be
such
thatsystems
the useto(i.e.,
ofinformation
non-organizationally
owned
devices
some
manner
(e.g., privileged
information,
contractother
federal
agencies,
organizations
subordinate
allowed
but restricted
inincluding
some medical
way.
Restrictions
include,
for to
sensitive
information,
proprietary
information,
personally
those
agencies),
the
trust
relationships
that
have
been
example: (i) requiring the implementation of organizationidentifiable
information,
classified
related
to special
established
between
those
organizations
and the
originating
approved security
controls
prior
toinformation
authorizing
such
access
programs
or
compartments)
based
on
some
formal
or
organization
may
be
such,
that
no
explicit
terms
and
conditions
connections; (ii) limiting access to certain types of information,
administrative
determination.
Depending
on
the
particular
are
required.
Information (iii)
systems
these organizations
services,
or applications;
usingwithin
virtualization
techniques to
information-sharing
circumstances,
sharing
partners
may when,
be
would
not
be
considered
external.
These
situations
limit processing and storage activities to servers
or occur
other
defined
at
the
individual,
group,
or
organizational
level.
for
example,
there
are
pre-existing
sharing/trust
agreements
system components provisioned by the organization; and (iv)
Information
may
defined
by content,
type,
security
(either
implicit
orbe
explicit)
established
between
federal
agreeing
to terms
and
conditions
for usage.
For
personally
category,
or
special
access
program/compartment.
agencies
or organizations
subordinate
to those
agencies,
or
owned
devices,
organizations
consult with
the Office
of the
when
such
trust
agreements
are
specified
by
applicable
laws,
General Counsel regarding legal issues associated with using
Executive
Orders,
directives,environments,
or policies. Authorized individuals
such
devices
inwith
operational
for
In accordance
federal laws, Executive including,
Orders, directives,
include,
for
example,
organizational
personnel,
contractors,
or
example,
requirements
for
conducting
forensic
analyses
during
policies, regulations, standards, and/or guidance, the general
other
individuals
with
authorized
access
to
organizational
investigations
after an incident.
public is not authorized
access to nonpublic information (e.g.,
information systems and over which organizations have the
information protected under the Privacy Act and proprietary
authority to impose rules of behavior with regard to system
information). This control addresses information systems that
access. Restrictions that organizations impose on authorized
are controlled by the organization and accessible to the general
individuals need not be uniform, as those restrictions may vary
public, typically without identification or authentication. The
depending upon the trust relationships between organizations.
posting of information on non-organization information systems
Therefore, organizations may choose to impose different
is covered by organizational policy.
security restrictions on contractors than on state, local, or tribal
governments. This control does not apply to the use of external
information systems to access public interfaces to
organizational
information
systems
(e.g., individuals
accessing
Data
storage objects
include,
for example,
databases,
database
federal
information
through
www.usa.gov).
Organizations
records, and database fields. Data mining prevention and
establish
terms
and conditions
forexample:
the use of
detection
techniques
include,
(i)external
limiting the types
Access control
decisions
(also for
known
as authorization
information
systems
in
accordance
with
organizational
security
of
responses
provided
to
database
queries;
(ii)
limiting
the to
decisions) occur when authorization information
is applied
policies and procedures.
Terms and
conditions
address
as a
number/frequency
of
database
queries
to
increase
the
work
specific
accesses.
In contrast,
access
enforcementprocesses
occurs when
In
distributed
information
systems,
and
minimum:
types
applications
thatauthorization
can be
accessed
on
factor
needed
to of
determine
the
contents
of such
databases;
information
systems
enforce
access
control
decisions.
While
access
control
decisions
may
occur
in
separate
parts
of the it
organizational
information
systems
from
external
information
and
(iii)
notifying
organizational
personnel
when
atypical
is
very common
to have access
control decisions
and access
systems.
In
such
authorization
information
is on
systems;
and
the instances,
highest
security
category
of information
that
database
queries
or accesses
occur.
Thisentity,
control
focuses
the
enforcement
implemented
by
the
same
it
is
not required
transmitted
securely
so
timely
access
control
decisions
can
be
can be processed,
stored, orinformation
transmittedfrom
on external
protection
of
organizational
data
mining
while
and
it is not
always
an optimal
implementation
choice.
For
enforced
at the
appropriate
locations.
To support
the
information
systems.
If terms
and conditions
with
theaccess
owners
of
such
information
resides
in organizational
data
stores.
In
some
architectures
and
distributed
information
systems,
control
decisions,
it
may
be
necessary
to
transmit
as
part
of
the
external
information
systems
cannot
be
established,
contrast,
AU-13 focuses
on monitoring
for organizational
different
entities
mayinformation,
perform
access
control
decisions and
access
authorization
supporting
security
organizations
may
impose
restrictions
on
information
that
may
have
been
mined
ororganizational
otherwise
obtained
access
enforcement.
attributes.
This isthose
dueisto
the available
fact
that in
information
personnel
using
external
systems.
from data stores
and
now
as distributed
open source
In certain situations, it is important that access control

decisions can be made without information regarding the
identity
of the
users issuinginternally
the requests.
These
are generally
Information
is represented
within
information
instances
where
preserving known
individual
privacy
is of paramount
systems using
abstractions
as data
structures.
Internal
importance.
In
other
situations,
user
identification
information
data
structures
can
represent
different
types
of
entities,
This
control
addresses
the
establishment
of policyand,
and both
is
simply
not
neededActive
for
access
control
decisions
active
and
passive.
entities,
also
known
as
subjects,
are
procedures
the
effective
implementation
of selected
especially
infor
the
case
of distributed
information
systems,
typically
associated
with
individuals,
devices,
or
processes
security
controls
and
control enhancements
in the
AT family.
transmitting
suchof
information
with
the needed
degree
of
acting
on
behalf
individuals.
Passive
entities,
also
known
as
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
assurance
may
be
very
expensive
or
difficult
to
accomplish.
objects,
are typically
associatedpolicies,
with data
structures
such as
Orders, directives,
regulations,
standards,
and
records,
buffers,
tables,
files,
inter-process
pipes,
and
communications
Reference
monitors
typically enforce
organization levelports.
may make
the need
for system-specific
mandatory
access
control
policiesa
type
of access
control
policies and procedures unnecessary. The policy
can be
that
restricts
access
to general
objects based
on thesecurity
identitypolicy
of subjects
included
as part
of the
information
for
or
groups
to
which
the
subjects
belong.
The
access
controls
organizations or conversely, can be represented by multiple are
mandatory
because
subjects
with
certain
privileges
(i.e.,
policies reflecting
the
complex
nature
of certain
organizations.
access
permissions)
are
restricted
from
passing
those
privileges
onfor
to particular
any other information
subjects, either
directly
or
general and
systems,
if needed.
The
indirectlythat
the information
system
strictly
enforces
organizational riskis,management
strategy
is a
key factor
in
the
access control
based on the rule set established by
establishing
policy policy
and procedures.
the policy. The tamperproof property of the reference monitor
prevents adversaries from compromising the functioning of the
Organizations
determine
the appropriate
ofadversaries
security
mechanism. The
always invoked
propertycontent
prevents
awareness
training
security and
awareness
techniques
from bypassing
the and
mechanism
hence violating
thebased
on
the
specific
organizational
requirements
and
the
information
security policy. The smallness property helps to ensure the
systems
to which
personnel
authorized
access.
The
completeness
in the
analysishave
and testing
of the
mechanism
to
content
includes
a
basic
understanding
of
the
need
for
detect weaknesses or deficiencies (i.e., latent flaws) that would
information
and user
actions
to maintain
security and
prevent the security
enforcement
of the
security
policy.
to respond to suspected security incidents. The content also
addresses awareness of the need for operations security.
Security awareness techniques can include, for example,
displaying
posters, may
offering
supplies
inscribedno-notice
with security
Practical exercises
include,
for example,
social
reminders,
generating
email
advisories/notices
from
senior
engineering attempts to collect information, gain unauthorized
organizational
officials,
logonof
screen
messages,
and
access,
orindicators
simulate
the displaying
adverse
opening
malicious
Potential
and
possibleimpact
precursors
of insider
threat
conducting
information
security
awareness
events.
email
attachments
or invoking,
via spear phishing
attacks,
can include
behaviors
such as inordinate,
long-term
job
malicious
web
links.
dissatisfaction,
attempts
to
gain
access
to
information
not
Organizations determine the appropriate content of security
required
for
job
performance,
unexplained
access
to
financial
training based on the assigned roles and responsibilities of
resources,
sexualsecurity
harassment
of fellow of
employees,
individuals bullying
and the or
specific
requirements
workplace
violence,
and
other
serious
violations
of
organizations and the information systems to which personnel
organizational
policies,
rules,
or
have authorized
access.procedures,
In addition,directives,
organizations
provide
practices.
Security
awareness
training
includes
how
to
enterprise architects, information system developers, software
communicate
employee and management
concerns
regarding
developers, acquisition/procurement
officials,
information
potential
indicators
of
insider
threat
through
appropriate
system managers, system/network administrators, personnel
organizational
channels inmanagement
accordance with
conducting configuration
and established
auditing activities,
organizational
policies
and
procedures.
personnel
performing
independent
verification
and
validation
Environmental controls include, for example, fire
suppression
activities,
security
control assessors,
and systems,
other personnel
and detection
devices/systems,
sprinkler
handheld
having
access
to
system-level
software,
adequate
securityfire
extinguishers,
fixed
fire
hoses,
smoke
detectors,
Physical
security controls
include, for tailored
example,
access
related
technical
training
specifically
forphysical
their
assigned
temperature/humidity,
HVAC,
and power
within
the
facility.
control
devices,
physical
intrusion
alarms,
duties.
Comprehensive
role-based
training
addresses
Organizations
identify personnel
with
specific
roles
and
monitoring/surveillance
equipment,
and
security
guards
Practical
exercises
may
include,
for
example,
security
training
management,
operational,
and
technical
roles
and
responsibilities
associated
with
environmental
controls
(deployment
and
operating
procedures).
Organizations
identify
for
software
developers
that
includes
simulated
attacks
responsibilities
covering
physical,
personnel,
andcyber
technical
requiring
specialized
training.
personnel
with
roles vulnerabilities
and responsibilities
associated
exploiting
software
(e.g.,can
buffer
safeguardscommon
andspecific
countermeasures.
Such training
include for
with
physical
security
controls
requiring
specialized
overflows),
or spear/whale
phishing
targeted
at
senior
example, policies,
procedures,
tools,attacks
and artifacts
fortraining.
the
leaders/executives.
These
types
of practical
exercises
help
organizational security
roles
defined.
Organizations
also
developers
understand
of such
vulnerabilities
provide the better
training
necessarythe
for effects
individuals
to carry
out their
and
appreciate related
the need
security and
coding
standards
and
responsibilities
tofor
operations
supply
chain security
processes.
within the context of organizational information security
A well-trained workforce provides another organizational

safeguard that can be employed as part of a defense-in-depth
strategy
to protect
against
malicious
code
Documentation
for organizations
specialized training
may
be maintained
by
coming
in
to
organizations
via
email
or
the
web
applications.
individual supervisors at the option of the organization.
Personnel are trained to look for indications of potentially
suspicious email (e.g., receiving an unexpected email,
receiving an email containing strange or poor grammar, or
receiving an email from an unfamiliar sender but who appears
to be from a known sponsor or contractor). Personnel are also
trained on how to respond to such suspicious email or web
communications (e.g., not opening attachments, not clicking on
embedded web links, and checking the source of email
This
control For
addresses
the establishment
of policy
addresses).
this process
to work effectively,
all and
procedures
for personnel
the effective
of selected
organizational
areimplementation
trained and made
aware of what
security
controls
and
control
enhancements
in
the
AU family.
constitutes suspicious communications. Training
personnel
on
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
how to recognize anomalous behaviors in organizational
Orders,
directives,
regulations,
policies,
standards,
and
information
systems
can potentially
provide
early warning
for
guidance.
Security
program
policies
and
procedures
at
the
the presence of malicious code. Recognition of such anomalous
organization
level may make
the needcan
for supplement
system-specific
behavior by organizational
personnel
policies
and
procedures
unnecessary.
The
policy
cantools
be and
automated malicious code detection and protection
included
as
part
of
the
general
information
security
policy
for
systems employed by organizations.
An event is any observable occurrence in an organizational
information system. Organizations identify audit events as
those events which are significant and relevant to the security
of information systems and the environments in which those
systems operate in order to meet specific and ongoing audit
needs. Audit events can include, for example, password
changes, failed logons, or failed accesses related to information
systems, administrative privilege usage, PIV credential usage,
or third-party credential usage. In determining the set of
auditable events, organizations consider the auditing
appropriate for each of the security controls to be
implemented. To balance auditing requirements with other
information system needs, this control also requires identifying
that subset of auditable events that are audited at a given
point in time. For example, organizations may determine that
information systems must have the capability to log every file
access
boththe
successful
andorganizations
unsuccessful,believe
but notshould
activate
Over time,
events that
bethat
capability
except
for specific
circumstances
due
toset
theof
audited may
change.
Reviewing
and updating
the
potential
burden
on
system
performance.
Auditing
audited events periodically is necessary to ensure that the
requirements,
including
the need
for auditable events, may be
current set is still
necessary
and sufficient.
referenced in other security controls and control
Audit
record content
that may also
be necessary
to satisfyevents
the
enhancements.
Organizations
include auditable
requirement
of this
includes,
for
example,
timeOrders,
stamps,
that are required
bycontrol,
applicable
federal
laws,
Executive
source
andpolicies,
destination
addresses,
user/process
identifiers,
directives,
regulations,
and
standards. Audit
records
event
indications,
filenames
involved,
can bedescriptions,
generated atsuccess/fail
various levels
of abstraction,
including
at
and
access level
control
flow control
rules invoked.
Event
the packet
as or
information
traverses
the network.
outcomes
canappropriate
include indicators
event success
or failure
and
Selecting the
level ofofabstraction
is a critical
aspect
event-specific
results and
(e.g.,can
thefacilitate
security the
state
of the information
of an audit capability
identification
of root
system
after
the event
occurred). consider in the definition of
causes to
problems.
Organizations
Detailed information that organizations may consider in audit

records includes, for example, full text recording of privileged
commands
the individual
identities
ofthe
group
account
users.
This controlor
enhancement
requires
that
content
to be
Organizations
consider
limiting
the additional
information
captured in audit
records
be configured
from aaudit
central
location
to
only
that
information
explicitly
needed
for
specific
audit
(necessitating
automation).
Organizations
coordinate
the
Organizations
consider
the types
auditing
be performed
requirements.
This facilitates
the of
use
of audittotrails
and audit
selection
of required
auditrequirements
content
to support
the centralized
and
the
audit
processing
when
allocating
audit
logs
by
not
including
information
that
could
potentially
be
management
andAllocating
configuration
capability
provided
by the
storage
capacity.
sufficient
audit
storage
capacity
Off-loading
is
acould
process
designed
preserve
the confidentiality
misleading
or
make
it more to
difficult
to locate
information
information
system.
reduces
the
likelihood
of
such
capacity
being
exceeded
and
and
integrity of audit records by moving the records from
the
of interest.
resulting
in
the
potential
loss
or
reduction
of
auditing
capability.
primary
information
system
to
a
secondary
or
alternate
Audit processing failures include, for example,
system.
It is a common
process
in in
information
systems with
software/hardware
errors,
failures
the audit capturing
limited
audit
storage
capacity;
the
audit
storage
is used or
only in
mechanisms, and audit storage capacity being reached
a
transitory
fashion
until
the
system
can
communicate
with
exceeded. Organizations may choose to define additional the
secondary
alternate
system
designated
for(e.g.,
storing
audit
actions for or
different
audit
processing
failures
by the
type,
by
records,
at
which
point
the
information
is
transferred.
location, by severity, or a combination of such factors). This
control applies to each audit data storage repository (i.e.,
Organizations
may have
multiple
audit data
storage
distinct information
system
component
where
audit records are
repositories
distributed
across multiple
system
stored), the total
audit storage
capacityinformation
of organizations
(i.e.,
components,
with
each
repository
having
different
storage
all
audit
data
storage
repositories
combined),
or
both.
Alerts provide organizations with urgent messages. Real-time
volume
capacities.
alerts provide
these messages at information technology speed
(i.e.,
the time from
detectiontotoreject
alert or
occurs
seconds
Organizations
have event
the capability
delayinthe
or
less).
processing of network communications traffic if auditing such
traffic
is determined
to exceed
the storage
of the
Organizations
determine
the types
of audit capacity
failures that
can
information
system
audit
function.
The
rejection
or
delay
trigger automatic information system shutdowns or degraded
response
is Because
triggeredof
bythe
theimportance
establishedoforganizational
traffic
operations.
ensuring
Audit
review,
analysis,
and
reporting
covers
information
volume
thresholds
which
can
be
adjusted
based
on
changes
to
mission/business
continuity,
organizations
may determine
that
security-related
auditing
performed
by
organizations
including,
audit
storage
capacity.
the
nature
of auditing
the
auditthat
failure
is not
so severe
that of
it warrants
for example,
results
from
monitoring
account a
complete
shutdown
of
the
information
system
supporting
the
usage, remote access, wireless connectivity, mobile device
core
organizational
missions/business
operations.
In
those
connection, configuration settings, system component
instances,
information system
shutdowns
operating in
inventory, partial
use of maintenance
tools and
nonlocalor
maintenance,
a
degraded
modetemperature
with reduced
capability
may
be viabledelivery
physical
access,
and
humidity,
equipment
alternatives.
Organizational
processes benefiting
integrated
audit
and removal, communications
at thefrom
information
system
review,
analysis,
and
reporting
incident
boundaries,
use of
mobile
code,include,
and usefor
of example,
VoIP. Findings
can
response,
continuous
monitoring,
contingency
planning,
and
be reported
to organizational
entities
that include,
for example,
Inspector
General team,
audits.help desk, information security
incident response
group/department. If organizations are prohibited from
Organization-wide
situational
includes
awareness
reviewing and analyzing
auditawareness
information
or unable
to conduct
across
all
three
tiers
of
risk
management
(i.e.,
organizational,
such activities (e.g., in certain national security applications or
mission/business
process,for
and
information
system)
Automated
mechanisms
centralized
reviews
analyses
systems), the
review/analysis
may
be carried
outand
byand
other
supports
cross-organization
awareness.
include,
for example,
Information Management
organizations
grantedSecurity
such authority.
products.
This control enhancement does not require vulnerability
scanning, the generation of performance data, or information
system
monitoring.
Rather,audit
the enhancement
requires
The correlation
of physical
information and
audit that
logs the
analysis
of
information
being
otherwise
produced
in
these
from information systems may assist organizations in
areas
is integrated
with
the analysis
of auditor
information.
identifying
examples
of
suspicious
behavior
supporting
Organizations
specify
permitted
actions
for information
system
Security
Event
and
Information
Management
System tools
can
evidence
of
such
behavior.
For
example,
the
correlation
of an
processes,
roles,
and/or
users
associated
with
the
review,
facilitate
audit
record
aggregation/consolidation
from
multiple
individuals
identity for
logical
accessthrough
to certain
information
analysis,
andsystem
reporting
of audit
records
account
This
control
enhancement
requires
distinct
environment
for
information
components
as awell
as audit
record that
systems
with
the
additional
physical
security
information
management
techniques.
Specifying
permitted
actions
on
audit
the
dedicated
analysis
ofThe
audit
information
related
to privileged
correlation
andwas
analysis.
use
ofat
standardized
audit
record
the
individual
actually
present
the
facility
when
the
information
is compromising
a developed
way to enforce
theinformation
principle(with
ofon
least
privilege.
users
without
analysis
scripts
bysuch
organizations
localized
logical
access
occurred,
may
prove
to be
useful
inthe
Permitted
actions
are
enforced
by
the
information
system
and
information
system as
where
the users
have elevated
privileges
script
adjustments,
necessary)
provides
more cost-effective
investigations.
include,
for
example,
read,
write,
execute,
append,
and
delete.
including
thefor
capability
toaudit
execute
privileged
commands.
Full
approaches
analyzing
record
information
collected.
text
analysis refers
to analysis
that considers
the
full text of
The correlation
of audit
record information
with
vulnerability
privileged
commands is
(i.e.,
commands
and all parameters)
as
scanning information
important
in determining
the veracity
opposed
to analysis
only
the name
of the
of vulnerability
scansthat
andconsiders
correlating
attack
detection
events
Nontechnical sources include, for example, human resources

records documenting organizational policy violations (e.g.,
sexual
harassment
incidents,
improper
useaudit
of organizational
The frequency,
scope,
and/or depth
of the
review,
information
assets).
Such
information
can
lead
organizations
to
analysis, and reporting may be adjusted to meet organizational
a
more
directed
analytical
effort
to
detect
potential
malicious
needs
based on is
new
information
received.
Audit
a process
that manipulates
audit
insiderreduction
activity. Due
to the sensitive
nature of collected
the information
information
and
organizes
such
information
in
a
summary
available from nontechnical sources, organizations limit access
format
is more meaningful
analysts.
Audit
reduction and
to suchthat
information
to minimize to
the
potential
for the
report
generation
capabilities
do not always
emanate
from the
inadvertent
release
of privacy-related
information
to individuals
same
information
system
or
from
the
same
organizational
that do not have a need to know. Thus, correlation of
entities
conducting
auditing activities.
reduction
information
from nontechnical
sources Audit
with audit
information
capability
can
include,
for
example,
modern
data
mining
generally occurs only when individuals are suspected
of being
Events
of
interest
can
be
identified
by
the
content
of
specific
techniques
with
advanced
data
filters
to
identify
anomalous
involved in a security incident. Organizations obtain legal
audit
fields
including,
example,
identities
of
behavior
in audit
records.
Thefor
report
generation
capability
advicerecord
prior
to
initiating
such
actions.
individuals,
event
types,
event
locations,
event
times,
event
provided
by
the
information
system
can
generate
customizable
Sorting and searching of audit records may be based upon
the
dates,
system
resources
involved,
IP
addresses
involved,
reports.
Time
ordering
of
audit
records
can
be
a
significant
contents of audit record fields, for example: (i) date/time or
of
information
objects
accessed.
Organizations
may
define
issue
if the
granularity
of the
timestamp
in the
record
is audit
events;
(ii) user
identifiers;
(iii)
Internet Protocol
(IP)
addresses
Time
stamps
generated
by
the
information
system
include
date
event
criteria
to
any
degree
of
granularity
required,
for
insufficient.
involved
in
the
event;
(iv)
type
of
event;
or
(v)
event
and
time. locations
Time is commonly
innetworking
Coordinated
example,
selectableexpressed
by general
location
success/failure.
Universal
Time
(UTC),
a
modern
continuation
Greenwich
(e.g., by network or subnetwork) or selectableofby
specific
Mean
Time (GMT),
local time with an offset from UTC.
information
systemorcomponent.
Granularity of time measurements refers to the degree of
synchronization between information system clocks and
reference clocks, for example, clocks synchronizing within
This
control
uniformity
of time stamps
hundreds
of enhancement
milliseconds orprovides
within tens
of milliseconds.
for
informationmay
systems
with
multiple
system
clocks and
Organizations
define
different
time
granularities
for
systems
over a network.
different connected
system components.
Time service can also be critical
to other security capabilities such as access control and
identification and authentication, depending on the nature of
the mechanisms used to support those capabilities.
Audit information includes all information (e.g., audit records,

audit settings, and audit reports) needed to successfully audit
information
activity.
This control
on technical
This control system
enhancement
applies
to the focuses
initial generation
of
protection
of
audit
information.
Physical
protection
of
audit
audit trails (i.e., the collection of audit records that represents
information
is addressed
byused
media
controls and
the
audit
information
to be
forprotection
detection,
and
This
control
enhancement
helps
to
ensure
that analysis,
a compromise
physical
and
environmental
protection
controls.
reporting
purposes)
and
to
the
backup
of
those
audit
trails.
of the information system being audited does not also resultThe
in
enhancement
does
not
apply
to the initial generation of audit
a
compromise
of
the
audit
records.
Cryptographic
used
foraudit
protecting
the integrity
of
records prior tomechanisms
being written
to an
trail. Write-once,
readaudit
include,
for example,
signed
hash functions
many information
(WORM) media
includes,
for example,
Compact
Diskusing
asymmetric
cryptography
enabling
distribution
of the and
Individuals
privileged
access
to Disk-Recordable
an information system
Recordable with
(CD-R)
and Digital
Video
(DVD-R).
public
key
tothe
verify
the
hash
information
while
maintaining
the
who
are
also
the
subject
of an
audit
by that
system,
may such
affect
In contrast,
use
of switchable
write-protection
media
confidentiality
of
the
secret
key
used
to
generate
the
hash.
the
reliability
of
audit
information
by
inhibiting
audit
activities
as
on
tape cartridges
or
Universal
Serial
Bus (USB)
drives
Organizations
may
choose
different
selection
options
for
or
modifying
audit
records.
This
control
enhancement
results
in
write-protected,
but
not
write-once,
media.
different types of audit information. Dual authorizationrequires
that
privileged
access
beapproval
further defined
between audit-related
mechanisms
require
the
of two authorized
individuals
Restricting
privileged
user
authorizations
to read-only
helps
privileges
and
other
privileges,
thus
limiting
the users
with asto
in
order
to
execute.
Dual
authorization
may
also
be
known
limit
the
potential
damage
to
organizations
that
could
be
audit-related
privileges.
two-person
initiated
by control.
such users
(e.g.,
deleting
records to cover
up
Types of individual
actions
covered
byaudit
non-repudiation
include,
malicious
activity).
for example, creating information, sending and receiving
messages, approving information (e.g., indicating concurrence
or signing a contract). Non-repudiation protects individuals
against later claims by: (i) authors of not having authored
particular documents; (ii) senders of not having transmitted
messages; (iii) receivers of not having received messages; or
(iv) signatories of not having signed documents. Non-
This control enhancement supports audit requirements that

provide organizational personnel with the means to identify
who produced specific information in the event of an
information transfer. Organizations determine and approve the
strength of the binding between the information producer and
the information based on the security category of the
information and relevant risk factors.
This control enhancement prevents the modification of
information between production and review. The validation of
bindings can be achieved, for example, by the use of
cryptographic checksums. Organizations determine if
validations are in response to user requests or generated
automatically.
Chain of custody is a process that tracks the movement of
evidence through its collection, safeguarding, and analysis life
cycle
by documenting
eachprevents
person who
handled the evidence,
This control
enhancement
the modification
of
the
date
and
time
it
was
collected
or
transferred,
and
information between review and transfer/release. The the
purpose
for
transfer.
theachieved,
reviewer for
is aexample,
human orby
if the
the use
validation
ofthe
bindings
canIf be
review
function
is
automated
but
separate
from
the
of cryptographic checksums. Organizations determine
release/transfer
system
associates
validations are infunction,
responsethe
to information
user requests
or generated
the
identity
of
the
reviewer
of
the
information
to
be
released
automatically.
with the information and the information label. In the case of
human reviews, this control enhancement provides
organizational officials the means to identify who reviewed and
released the information. In the case of automated reviews,
Organizations
retain audit ensures
records until
it is determined
that
this control enhancement
that only
approved review
they
are no
needed for administrative, legal, audit, or
functions
arelonger
employed.
other
operational
purposes.
This includes,
for facilitate
example,the
Measures employed by organizations
to help
retention
and
availability
of
audit
records
relative
to Freedom of
retrieval of audit records include, for example, converting
Information
Act
(FOIA)
requests,
subpoenas,
and
law
records
to newer
retaining
capable of
Audit
records
canformats,
be generated
fromequipment
many different
enforcement
actions.
Organizations
develop
standard
reading
the
records,
and
retaining
necessary
documentation
to
information
system
components.
The
list
oftypes
audited
events is
categories
of
audit
records
relative
to
such
of
actions
and
help
organizational
personnel
understand
to interpret
the
the
set
ofresponse
events for
which audits
are to
behow
generated.
These
standard
processes
for each
type
of
action. The
records.
events
typically
a subset
ofAdministration
all events for which
the
Nationalare
Archives
and
Records
(NARA)
General
information
system
is
capable
of
generating
audit
records.
Records Schedules provide federal policy on record retention.
Audit trails are time-correlated if the time stamps in the

individual audit records can be reliably related to the time
stamps
in other audit
to achieve
a time ordering
of the
Audit information
thatrecords
is normalized
to common
standards
records
within
organizational
tolerances.
promotes interoperability and exchange of such information
between
dissimilar
devicesenables
and information
systems.
This or
This control
enhancement
organizations
to extend
facilitates
production
of
event
information
that
can
be
more
limit auditing as necessary to meet organizational
readily
analyzed
and correlated.
Standard
formats information
for audit
requirements.
Auditing
that
is limited
to
conserve
Open
source
information
includes,
forlog
example,
social
records
include,
for
example,
system
records
and
system
resources
be extended to address certainaudit
threat
networking
sites. may
records
compliant
with
Commonmay
Event
(CEE). Ifset
situations. In addition, auditing
be Expressions
limited to a specific
Automated
canreduction,
include, for
example,
logging
mechanisms
information
systems
doautomated
not
of events
tomechanisms
facilitatewithin
audit
analysis,
and
reporting.
scripts
toto
monitor
posts
on selected
websites,
and
conform
standardized
formats,
systems
may
convert
Organizations
can new
establish
time
thresholds
in which
audit
commercial
services
providing
notifications
and
alerts
to
individual
audit
records
into
standardized
formats
when
actions are changed, for example, near real-time, within
organizations.
compiling
system-wide
audit
trails.
minutes, or within hours.
Session audits include, for example, monitoring keystrokes,

tracking websites visited, and recording information and/or file
transfers. Session auditing activities are developed, integrated,
and used in consultation with legal counsel in accordance with
applicable federal laws, Executive Orders, directives, policies,
regulations, or standards.
Since an alternate audit capability may be a short-term

protection employed until the failure in the primary auditing
capability
is corrected,
may determine
that the of
When organizations
useorganizations
information systems
and/or services
alternate
audit
capability
need
only
provide
a
subset
of the a
external organizations, the auditing capability necessitates
primary
audit
functionality
that
is
impacted
by
the
failure.
coordinated
approach across
organizations.
Forisexample,
applies
when there
a need to be
maintaining
the
identity
of
individuals
that
requested
particular
able to trace actions that are performed across organizational
services
across
organizational
boundaries may often be very
boundaries
to adistributed
specific individual.
Because
of the
ofhave
the audit
information,
difficult, and
doing so may nature
prove to
significant
cross-organization
sharing
of
audit
information
performance ramifications. Therefore, it is oftenmay
the be
case that
essential
for
effective
analysis
of
the
auditing
being
performed.
This
control addresses
the establishment
of policy
and
cross-organizational
auditing
(e.g., the type
of auditing
For
example,
the
audit
records
of
one
organization
may
not
procedures
for the effective
implementation
of selected
capability provided
by service-oriented
architectures)
simply
provide
information
to determine
the
appropriate
security
controls
and
control
enhancements
in the
CA
capturessufficient
the identity
of
individuals
issuing requests
atfamily.
the or
inappropriate
use
of
organizational
information
resources
by
Policy
and procedures
reflect
applicable
federal
laws,record
Executive
initial information
system,
and
subsequent
systems
that
individuals
in
other
organizations.
In
some
instances,
only
the
Orders,
directives,
regulations,
policies, standards,
the requests
emanated
from authorized
individuals.and
home
organizations
of individuals
have
appropriate
guidance.
Security program
policies
andthe
procedures
at the
knowledge
to
make
such
determinations,
thus
requiring
the
sharing
of
audit
information
among
organizations.
Organizations assess security controls in organizational
information systems and the environments in which those
systems operate as part of: (i) initial and ongoing security
authorizations; (ii) FISMA annual assessments; (iii) continuous
monitoring; and (iv) system development life cycle activities.
Security assessments: (i) ensure that information security is
built into organizational information systems; (ii) identify
weaknesses and deficiencies early in the development process;
(iii) provide essential information needed to make risk-based
decisions as part of security authorization processes; and (iv)
ensure compliance to vulnerability mitigation procedures.
Assessments are conducted on the implemented security
controls from Appendix F (main catalog) and Appendix G
(Program Management controls) as documented in System
Security Plans and Information Security Program Plans.
Organizations can use other types of assessment activities
such as vulnerability scanning and system monitoring to
maintain the security posture of information systems during
the entire life cycle. Security assessment reports document
assessment results in sufficient detail as deemed necessary by
Independent assessors or assessment teams are individuals or

groups who conduct impartial assessments of organizational
information
systems.
Impartiality
implies
that assessors
are
Organizations
can employ
information
system
monitoring,
free
from
any assessments,
perceived or actual
conflicts
interest
with
insider
threat
malicious
user of
testing,
and
other
regard
to
the
development,
operation,
or
management
of the
forms
of
testing
(e.g.,
verification
and
validation)
to
improve
Organizations
may
often rely
on assessments
of specific
organizational
information
systems
under
assessment
to the
readiness
bysystems
exercising
organizational
capabilities
and or
information
by
other
(external)
organizations.
Utilizing
determination
of
security
control
effectiveness.
To
achieve
indicating
current
performance
levels
asexisting
a meansassessment
of focusing
such
existing
assessments
(i.e.,
reusing
This
control
applies
to dedicated
connections
impartiality,
assessors
should
not:
(i) create
a between
mutual
or
actions
to
improve
security.
Organizations
conduct
assessment
evidence)
can
significantly
decrease
the
time
and
resources
information
systems
(i.e.,
system
interconnections)
does
conflicting
with
the
organizations
wherelaws,
theand
activities
ininterest
accordance
with
applicable
federal
Executive
required
for
organizational
assessments
by limiting
the
amount
not
apply
to
transitory,
user-controlled
connections
such
as
assessments
are
being
conducted;
(ii)
assess
their
own
work;
Orders,
directives,
policies, regulations,
and
standards. need
of
independent
assessment
activities
that
organizations
email
and
website
browsing.
Organizations
carefully
consider
(iii)
act
as
management
or
employees
of
the
organizations
Authorizing
officials
approve
the assessment
methods
inin they
to
perform.
The
factors
that
organizations
may
consider
the
risks
that
may
be
introduced
when
information
systems
are
are
serving;
or
(iv)
place
themselves
in
positions
of
advocacy
coordination
with the to
organizational
risk executive
function.
determining
whether
accept
assessment
results
from
connected
to
other
systems
with
different
security
for
the organizations
acquiring vulnerabilities
their services. uncovered
Independent
Organizations
can incorporate
during
external
organizations
can controls,
vary.
Determinations
for accepting
requirements
and
security
both
within
organizations
assessments
can
be
obtained
from
elements
within
assessments
into
vulnerability
remediation
processes.
assessment
based
on,
example,
past
and
externalresults
to
Authorizing
officials
determine
organizations
ororganizations.
cancan
be be
contracted
tofor
public
or private
sector
assessment
experiences
one
organization
has
had
with
another
the
risk outside
associated
with information
system connections
and
entities
of organizations.
Authorizing
officials
determine
organization,
the
reputation
that
organizations
have
with
the
appropriate
controls
employed.
If
interconnecting
systems
required
level
of
independence
based
on
the
security
Organizations
typically do
not
have
controlofover
external
regard
to same
assessments,
the
level
ofand/or
detail
supporting
have
the
authorizing
official,
organizations
do
not
need
categories
of
information
systems
the
ultimate
risk
to to
networks
(e.g.,
the Internet).provided,
Approvedorboundary
protection
assessment
documentation
mandates
imposed
develop
Interconnection
Security
Agreements.
Instead,
organizational
operations,
organizational
assets,
or
individuals.
devices
(e.g., routers,
firewalls)
mediate
communications
(i.e.,
Organizations
typically
do
not
have
control
overofexternal
upon
organizations
by
federal
legislation,
policies,
or directives.
organizations
can
describe
the
interface
characteristics
Authorizing
officials
also
determine
if
thenational
level
assessor
information
flows)
between
unclassified
security
networks
(e.g.,provides
the Internet).
Approved
boundary
protection
between
those
interconnecting
systems
in their
respective
independence
sufficient
assurance
that
the
resultsisare
systems
and
external
networks.
This
control
enhancement
devices
(e.g.,
routers,
firewalls)
mediate
communications
(i.e.,
Organizations
typically
do
not
have
control
over
external
security
plans.
If
interconnecting
systems
have
different
sound and
be used to processing,
make credible,
risk-based
decisions.
required
forcan
organizations
storing,
or transmitting
information
flows)
between
classified
national
security
systems
networks
(e.g.,
the Internet).
boundary
protection
authorizing
officials
within
theApproved
samecontracted
organization,
organizations
This
includes
determining
whether
security
Controlled
Unclassified
Information
(CUI).
and
external
networks.
In addition,
approved
boundary
devices
(e.g.,
routers,
firewalls)
mediate
communications
(i.e.,
can
either
develop
Interconnection
Security
Agreements
assessment
services
have
sufficient
independence,
for or
A
public network
is(typically
any network
accessible
to the general
protection
devices
managed
interface/cross-domain
information
flows)
between
unclassified
non-national
security
describe
the
interface
characteristics
between
systems
in
the
example,
when
information
system
owners
are
not
directly
public
including,
for
example, flow
the Internet
and organizational
systems)
provide
information
enforcement
frominfluence
systems
and
external
networks.
This
control
enhancement
is
security
plans
for
the
respective
systems.
Organizations
may
involved
in
contracting
processes
or
cannot
unduly
extranets
with
public
access.
Organizations
can
constrain
information
system
connectivity
to
information
systems
to
external
networks.
required
for
organizations
processing,
storing,
or
transmitting
also
incorporateof
Interconnection
Securityassessments.
Agreement In
the impartiality
assessors conducting
external
domains
(e.g.,
websites)
by
employing
of two
Controlled
Unclassified
Information
(CUI).
information
into formal
contracts,
especially
for onethat
special situations,
for example,
when
organizations
own
policies
with
regard
to
such
connectivity:
(i)
allow-all,
deny
interconnections
established
between
federal agencies
andby
the information systems
are small
or organizational
structures
exception,
known
blacklisting
(thebyweaker
twoare
nonfederal
(i.e.,
privateassector)
organizations.
Riskof thethat
require thatalso
assessments
are conducted
individuals
policies);
or
(ii)
deny-all,
allow
by
exception,
also
known
as
considerations
also
include
information
systems sharing
the
in the of
developmental,
operational,
or management
of
Plans
action
and
milestones
are
key
documents
inchain
security
whitelisting
(the
stronger
of
the
two
policies).
For
either
policy,
same
networks.
For
certain
technologies
(e.g.,
space,
system
owners,
independence
in
assessment
processes
can
authorization
packages
and
areexceptions,
subject to if
federal
reporting be
organizations
determine
what
any,
are
unmanned
aerial
vehicles,
and
medical
devices),
there
may be
achieved
by
ensuring
that
assessment
results
are
carefully
requirements
established by OMB.
acceptable.
specialized
connections
in place
during preoperational
testing.
reviewed and
analyzed by
independent
teams of experts
to
Such
connections
may require
Interconnection
validate
the completeness,
accuracy,
integrity, Security
and reliability of
Agreements
and be subject
to additional
security controls.
the results. Organizations
recognize
that assessments
performed for purposes other than direct support to
authorization decisions are, when performed by assessors with
sufficient independence, more likely to be useable for such
decisions, thereby reducing the need to repeat assessments.
Security authorizations are official management decisions,
conveyed through authorization decision documents, by senior
organizational officials or executives (i.e., authorizing officials)
to authorize operation of information systems and to explicitly
accept the risk to organizational operations and assets,
individuals, other organizations, and the Nation based on the
implementation of agreed-upon security controls. Authorizing
officials provide budgetary oversight for organizational
information systems or assume responsibility for the
mission/business operations supported by those systems. The
security authorization process is an inherently federal
responsibility and therefore, authorizing officials must be
federal employees. Through the security authorization process,
Continuous monitoring programs facilitate ongoing awareness

of threats, vulnerabilities, and information security to support
organizational risk management decisions. The terms
continuous and ongoing imply that organizations
assess/analyze security controls and information securityrelated risks at a frequency sufficient to support organizational
risk-based decisions. The results of continuous monitoring
programs generate appropriate risk response actions by
organizations. Continuous monitoring programs also allow
organizations to maintain the security authorizations of
information systems and common controls over time in highly
dynamic environments of operation with changing
mission/business needs, threats, vulnerabilities, and
technologies. Having access to security-related information on
a continuing basis through reports/dashboards gives
organizational officials the capability to make more effective
and timely risk management decisions, including ongoing
security authorization decisions. Automation supports more
frequent updates to security authorization packages,
Organizations
can maximize inventories,
the value of and
assessments
of
hardware/software/firmware
other system
security
controls
during theiscontinuous
monitoring
process
by
information.
Effectiveness
further enhanced
when
continuous
requiring
that
such
assessments
be
conducted
by
assessors
monitoring outputs are formatted to provide information thatoris
assessment
teams with
appropriate
levels of
independence
specific, measurable,
actionable,
relevant,
and
timely.
based
on
continuous
monitoring
strategies.
Assessor
Continuous
monitoring
activities
are
scaled
in
accordance
Trend
analysesprovides
can include,
for example,
examining
recentwith
independence
a
degree
of
impartiality
to
the
the
security
categories of information
systems.
threat
information
thesuch
types
of threat events
that
monitoring
process.regarding
To achieve
impartiality,
assessors
have
occurred
within
the
organization
or
across
the
federal
Penetration
testing
is aa mutual
specialized
type of assessment
should not: (i)
create
or conflicting
interest with the
government,
rates
of certain
of cyber
attacks,(ii)
conducted
onsuccess
information
systems
or types
individual
system
organizations
where
the
assessments
are being
conducted;
emerging
vulnerabilities
in
information
technologies,
evolving of
components
to
identify
vulnerabilities
thatare
could
exploited
assess
their own
work; (iii)
act asor
management
orbe
employees
Independent
penetration
agents
teams
individuals
or
social
engineering
techniques,
results
from
multiple
security
by
adversaries.
Such
testing
can
be
used
to
either
validate
the
organizations
they
are
serving;
or
(iv)
place
themselves
in
groups
who
conduct impartial
penetration
testing of
control
assessments,
the
effectiveness
of
configuration
vulnerabilities
or
determine
the
degree
of
resistance
advocacy
positions
for
the
organizations
acquiring
their
organizational
information
Impartiality
that
Red
teamand
exercises
extend
the objectives
penetration
settings,
findings
from systems.
Inspectors
General
orimplies
auditors.
organizational
information
systems
have
toof
adversaries
within
services.
penetration
agents
or
teams
are
free
from
any
perceived
or
testing
by
examining
the security
posture
of organizations
a
set ofconflicts
specified
constraints
(e.g.,
time,
resources,
and/or and
actual
of
interest
with
regard
to
the
development,
their
ability
to implement
effective
cyber
defenses.
such, of
This
control
to connections
between
organizational
skills).
Penetration
testing
attempts
to duplicate
theAs
actions
operation,
orapplies
management
of the information
systems
thattoare
red
team
exercises
reflect
simulated
adversarial
attempts
information
systems
and
(separate)
constituent
system
adversaries
in
carrying
out
hostile
cyber
attacks
against
the
targets oforganizational
the penetration
testing. Supplemental
guidance
compromise
mission/business
functions
and
components
(i.e.,
connections)
including,
organizations
and intra-system
provides
a
more
in-depth regarding
analysis
of for
for
CA-2
(1)
provides
additional
information
provide
a
comprehensive
assessment
of
the
security
state
of
example,
system
connections
devices,
security-related
weaknesses/deficiencies.
Organizations
can
independent
assessments
thatwith
can mobile
be applied
to penetration
information
systems
and
organizations.
Simulated
adversarial
notebook/desktop
printers,
copiers,
facsimile
also
use the resultscomputers,
of vulnerability
analyses
to support
testing.
attempts
toscanners,
compromise
organizational
missions/business
machines,
sensors,
and
servers.
Insteadcan
of be
penetration
testing
activities.
Penetration
testing
functions
and
the
information
systems
that
support
those
authorizing
each
connection,
organizations
conducted on
theindividual
hardware,internal
software,
or firmware
components
missions/functions
may
include
technology-focused
attacks
Security
compliance
checks
may
for
example,
can
internal
connections
for a class
of physical
components
of anauthorize
information
system
and
caninclude,
exercise
both
and
(e.g.,
interactions
with
hardware,
software,
or
firmware
verification
of characteristics
the relevant
configuration.
with
common
configurations,
for
technical
security
controls. baseline
A and/or
standard
method for penetration
components
and/or
mission/business
processes)
and
social
example,
alladdresses
digital
scanners,
and
with
a
testing
includes,
forprinters,
example:
(i) pretest
analysis
based
on full
This
control
the establishment
ofcopiers
policy
and
engineering-based
attacks
(e.g.,
interactions
via
email,
specified
processing,
storage,
and
transmission
capabilityof
or all
knowledge
of
system;
(ii)
pretest identification
procedures
forthe
thetarget
effective
implementation
of selected
telephone,
shoulder
surfing,
or
personal
conversations).
While
smart
phones
with
a
specific
baseline
configuration.
potential
vulnerabilities
based
on
pretest
analysis;
and
(iii)
security
controls
and
control
enhancements
in the CM
family.
penetration
testing
be largely
laboratory-based
testing,
testing
designed
to may
determine
exploitability
of identified
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
organizations
use
team
exercises
provide
more
vulnerabilities.
All red
parties
agree
to thetorules
of engagement
Orders,
directives,
regulations,
policies,
standards,
and
comprehensive
assessments
that
reflect
real-world
conditions.
before the Security
commencement
of
penetration
testing scenarios.
guidance.
program
policies
and
procedures
at
the
Red
team exercises
can the
be used
to improve
security
awareness
Organizations
correlate
penetration
testing
rules
of
organization
leveltomay
make
the of
need
for system-specific
and
training and
assess
levels
security
control
engagement
with the
tools,
techniques,
and
procedures
policies
and
procedures
unnecessary.
The
policy
can be that
effectiveness.
are
anticipated
to
be
employed
by
adversaries
carrying
outfor
included as part of the general information security policy
attacks.
Organizational
risk
assessments
guide
decisions
on the
level
of independence
required nature
for personnel
conducting
policies
reflecting the complex
of certain
organizations.
penetration
testing.
This control establishes baseline configurations for information

systems and system components including communications
and connectivity-related aspects of systems. Baseline
configurations are documented, formally reviewed and agreedupon sets of specifications for information systems or
configuration items within those systems. Baseline
configurations serve as a basis for future builds, releases,
and/or changes to information systems. Baseline configurations
include information about information system components
(e.g., standard software packages installed on workstations,
notebook computers, servers, network components, or mobile
devices; current version numbers and patch information on
Automated
mechanisms
that help organizations
maintain
operating systems
and applications;
and configuration
consistent
baseline configurations
for information
systems
settings/parameters),
network topology,
and the logical
include,
for
example,
hardware
and
software
inventory
tools,
Retaining
of baseline
configurations
to
placementprevious
of thoseversions
components
within the
system
configuration
management
tools,
and
network
management
support
rollback
may include,
for example,
hardware,
software,
architecture.
Maintaining
baseline
configurations
requires
tools.
Such
tools
can beas
deployed
and/or information
allocated
as systems
common
firmware,
configuration
files,
and configuration
records.
creating
new
baselines
organizational
controls,
at the
information
level, orofat
the operating
change over
time.
Baseline system
configurations
information
system
component
level enterprise
(e.g., on workstations,
systemsor
reflect
the current
architecture.servers,
notebook computers, network components, or mobile devices).
Tools can be used, for example, to track version numbers on
operating
system
applications,
types of software
and
Establishing
separate
baseline configurations
for installed,
development,
current
levels. Thisenvironments
control enhancement
can be satisfied
testing, patch
and operational
helps protect
by
the
implementation
of
CM-8
(2)
for
organizations
that
information
systems
from
unplanned/unexpected
events
When
itto
is combine
known
that
information
systems,
system
choose
information
system
component
inventory
related
to development
testing
activities.
Separate
components,
or devices and
(e.g.,
notebook
computers,
mobile
and
baseline
configuration
activities.
baseline
configurations
allow
organizations
to
apply the
devices) will be located in high-risk areas, additional
security
configuration
management
that
most appropriate
eachin
controls may be
implemented
toiscounter
the greaterfor
threat
type
configuration.
Forthe
example,
of operational
such of
areas
coupled with
lack of management
physical security
relative to
configurations
typically
emphasizes
the
need
for
stability,
while
organizational-controlled areas. For example, organizational
management
of
development/test
configurations
requires
policies and procedures for notebook computers used by
greater
flexibility.
Configurations
the from
test environment
mirror
Configuration
change
controls
forinorganizational
information
individuals
departing
on
and returning
travel
include,
for
the
configurations
in
the
operational
environment
to
the
extent
systems
the systematic
proposal,
example,involve
determining
which locations
arejustification,
of concern, defining
practicable
so that
the results
the
are representative
implementation,
testing,
review,
and testing
disposition
of
changes
to
required configurations
for
theof
devices,
ensuring
that
the
of
the
proposed
changes
to
the
operational
systems.
This
the
systems,
including system
upgrades
and
modifications.
devices
are configured
as intended
before
travel
is initiated,
control
enhancement
requires
separate
configurations
but is
not
Configuration
change safeguards
control includes
to baseline
and applying
specific
to thechanges
device
after
travel
necessarily
separate
physical
environments.
configurations
for components
configuration
items
of
completed. Specially
configuredand
notebook
computers
include,
information
changes
to configuration
settings
for
for example,systems,
computers
with sanitized
hard drives,
limited
information
products
(e.g., operating
applications,technology
and additional
hardening
(e.g., moresystems,
stringent
applications,
and
mobile devices),
configuration firewalls,
settings).routers,
Specified
safeguards
applied to mobile
unscheduled/unauthorized
changes,
and for
changes
to remediate
devices upon return from travel
include,
example,
vulnerabilities.
Typical for
processes
managing
configuration
examining the device
signs offor
physical
tampering
and
changes
to information
systems
for example,
purging/reimaging
the hard
disk include,
drive. Protecting
information
Configuration
Control
Boards
approve
changes to
residing on mobile
devices
is that
covered
in theproposed
media protection
systems.
For new development information systems or systems
family.
undergoing major upgrades, organizations consider including
representatives from development organizations on the
Configuration Control Boards. Auditing of changes includes
Changes to information systems include modifications to

hardware, software, or firmware components and configuration
settings defined in CM-6. Organizations ensure that testing
does not interfere with information system operations.
Individuals/groups conducting tests understand organizational
Information
security
can include,
for example,
security policies
and representatives
procedures, information
system
security
senior
agency
information
security
officers,
information
policies and procedures, and the specific health, safety, system
and
security
officers,
or include,
information
system
security
Security
responses
for example,
halting managers.
information
environmental
risks
associated
with
particular
Representation
by personnel
with
information
security
system
processing,
halting
selected
system
functions,
or taken
facilities/processes.
Operational
systems
may
need
to be
expertise
isreplicated
importanttobecause
changes
to information
system
issuing
alerts/notifications
to
organizational
personnel
off-line,
or
the
extent
feasible,
before
testing
can
Regardless
of the
cryptographic
means
employed
(e.g.,when
public
configurations
can
have
unintended
side
effects,
some
of
which
there
is
an
unauthorized
modification
of
a
configuration
item.
be
conducted.
If
information
systems
must
be
taken
off-line
for
key,
private
key, shared secrets),
organizations
ensure
may
be security-relevant.
Detecting
suchduring
changes
earlythat
in the
testing,
the
tests
are
scheduled
to
occur
planned
there
arecan
processes
andunintended,
procedures
in place
to
effectively
Organizational
personnel
with
information
security
process
help
avoid
negative
consequences
system outages
whenever
possible.
If
testing
cannot
be
manage
those
means.
For
example,
if
devices
use
certificates
responsibilities
(e.g., Information
System
Administrators,
that
could ultimately
affectsystems,
the security
state
of organizational
conducted
on
operational
organizations
employ
as
a basis for
identification
and authentication,
there
needs
to
Information
System
Security
Information
System
information
systems.
The
configuration
change
control
element
Separate
test
environment
inOfficers,
thisthe
context
means
an
compensating
controls
(e.g.,
testing
on
replicated
systems).
be
a
process
in
place
to
address
expiration
of
those
Security
Managers,
Information
System
Security
in
this control
enhancement
reflects
the change
control
environment
that
is and
physically
or logically
isolated
and distinct
certificates.
Engineers)
conduct
security
impact
analyses.
Individuals
elements
defined
by
organizations
in
CM-3.
from
the
operational
environment.
The
separation
is
sufficient
Implementation
is this
context
refers possess
to installing
changed
code
conducting
security
impact
analyses
thedo
necessary
to
ensure
that
activities
in
the
test
environment
not
impact
in
the operational information
system.
skills/technical
to analyze
the changes
to information
activities in theexpertise
operational
environment,
and information
in
Any
changes
to
the
hardware,
software,
and/or
firmware
systems
and
the
associated
security
ramifications.
Security to
the operational environment is not inadvertently transmitted
components
of information
systems
can potentially
have
impact
may include,
forenvironments
example,
reviewing
security
the testanalysis
environment.
Separate
can be
achieved
significant
effects
on
the
overall
security
of
the
systems.
plans
to
understand
security
control
requirements
and
by physical or logical means. If physically separate test
Therefore,
organizations
permit
only qualified
and authorized
reviewing
system
documentation
todetermine
understand
environments
are design
not used,
organizations
thecontrol
individuals
to
access
information
systems
for
purposes
of
implementation
and
how
specific
changes
might
affect
the
strength
of that
mechanism
required
implementing
Indications
warrant
review
ofwhen
information
systemlogical
changes
initiating
changes,
including
upgrades
and
modifications.
controls.
Security
impact
analyses
may
also
include
separation
(e.g.,circumstances
separation achieved
through virtual
and
the specific
justifying
reviews
Organizations
records
of access such
to ensure
that
assessments
ofmaintain
risk to better
understand
the
impact
ofmay
the be
machines).
obtained
from
activities
carried
out
by
organizations
during
Software
and to
firmware
components
prevented
from
configuration
change
control
is implemented
and
to installation
support
changes and
determine
if additional
security
controls
are the
configuration
change
process.
unless
signed
withimpact
recognized
and approved
certificates
after-the-fact
actions
should
organizations
discover
any
required.
Security
analyses
are scaled
in accordance
include,
example,
software
and
firmware
updates,
unauthorized
changes.
Access
forversion
change
also
with the for
security
categories
of restrictions
the information
systems.
patches,
service packs,
device
drivers,
and basic
inputfor
output
include software
libraries.
Access
restrictions
include,
system
(BIOS)
updates.
Organizations
can identify
example,
physical
and logical
access controls
(see applicable
AC-3 and PEsoftware
andautomation,
firmware components
by type,
by specific
3), workflow
media libraries,
abstract
layersitems,
(e.g.,
or
a combination
of both.
signatures
and organizational
changes
implemented
intoDigital
third-party
interfaces
rather than
verification
such signatures,
is a and
method
of code
directly intoof
information
systems),
change
windows (e.g.,
Organizations employ dual authorization to ensure that any

changes to selected information system components and
information
cannot occur
unless twosystems
qualified
individuals
In many organizations,
information
support
multiple
implement
such
changes.
The
two
individuals
possess
core missions/business functions. Limiting privileges tosufficient
change
skills/expertise
to determine
if the
proposed
are
information system
components
with
respectchanges
to operational
correct
of approved
changes.
Dual
systemsimplementations
is necessary because
changes
to a particular
authorization
may
also
be
known
as
two-person
control.
information system component may have far-reaching
effects
on mission/business processes supported by the system where
the component resides. The complex, many-to-many
Software libraries
include
privileged
programs.
relationships
between
systems
and mission/business
processes
are in some cases, unknown to developers.
Configuration settings are the set of parameters that can be

changed in hardware, software, or firmware components of the
information system that affect the security posture and/or
functionality of the system. Information technology products for
which security-related configuration settings can be defined
include, for example, mainframe computers, servers (e.g.,
database, electronic mail, authentication, web, proxy, file,
domain name), workstations, input/output devices (e.g.,
scanners, copiers, and printers), network components (e.g.,
firewalls, routers, gateways, voice and data switches, wireless
access points, network appliances, sensors), operating
systems, middleware, and applications. Security-related
parameters are those parameters impacting the security state
of information systems including the parameters required to
Responses
tosecurity
unauthorized
to configuration
settings
satisfy other
controlchanges
requirements.
Security-related
can
include, include,
for example,
alerting (i)
designated
organizational
parameters
for example:
registry settings;
(ii)
personnel,
restoring
established
configuration
or in for
account, file,
directory
permission
settings; andsettings,
(iii) settings
extreme
cases,
halting
affected
information
system
processing.
functions, ports, protocols, services, and remote connections.
Organizations establish organization-wide configuration
settings and subsequently derive specific settings for
information systems. The established settings become part of
Information
can provide
a wide
variety
of functions
the systemssystems
configuration
baseline.
Common
secure
and
services. Some
the functions
and services,
provided by
configurations
(also of
referred
to as security
configuration
default,
may
not be necessary
to support
essential
checklists,
lockdown
and hardening
guides,
security reference
organizational
operations
key missions,
functions).
guides, security
technical (e.g.,
implementation
guides)
provide
Additionally,
it is sometimes
convenient
to benchmarks
provide multiple
recognized, standardized,
and
established
that
services
from
single
information
system
components,
but
doing
stipulate secure configuration settings for specific information
so
increasesplatforms/products
risk over limiting the
provided
by any one
technology
andservices
instructions
for configuring
The
organization
can
either
make
a determination
of the
component.
Where
feasible,
organizations
limit operational
component
those
information
system
components
to meet
relative
security
the function,
port,
protocol,
and/or
functionality
toCommon
aof
single
function
per device
(e.g.,
email
servers
requirements.
secure configurations
can
be service
or
base
the
security
decision
on
the
assessment
of
other
web
servers,
but
not
both).
Organizations
review
functions
developed by a variety of organizations including, for example,
entities.
Bluetooth,
FTP,
and
peer-to-peer
networking
are
and
services
provided
by
information
systems
or individual
information
technology
product
developers,
manufacturers,
examples
of less
than
secure
protocols.
components
of information
systems,
to determine
which and
vendors, consortia,
academia,
industry,
federal agencies,
functions
and services
are public
candidates
for elimination
(e.g.,
other organizations
in the
and private
sectors. Common
Voice
Internet Protocol,
Messaging,
auto-execute,
secureOver
configurations
includeInstant
the United
States Government
and
file sharing).
Organizations
disabling
Configuration
Baseline
(USGCB) consider
which affects
the unused or
unnecessary
physical
and
logical
(e.g.,
implementation
of CM-6
and
otherports/protocols
controls such as
AC-19 and
Universal
Bus,Content
File Transfer
Protocol,
and Hyper
Text
CM-7. TheSerial
Security
Automation
Protocol
(SCAP)
and
Transfer
Protocol)
on information
systems (e.g.,
to prevent
the defined
standards
within the protocol
Common
unauthorized
of devices,
unauthorized
transfer
Configuration connection
Enumeration)
provide an
effective method
toof
information,
or unauthorized
tunneling.
Organizations
can
uniquely identify,
track, and control
configuration
settings.
utilize
network scanning
tools, intrusion
detection
and
OMB establishes
federal policy
on configuration
requirements
prevention
systems, and
end-point protections such as firewalls
for federal information
systems.
Organizations use the registration process to manage, track,

and provide oversight for information systems and
implemented
functions,
ports,
protocols,
and services.
The process used
to identify
software
programs
that are not
authorized to execute on organizational information systems is
commonly referred to as blacklisting. Organizations can
implement CM-7 (5) instead of this control enhancement if
whitelisting (the stronger of the two policies) is the preferred
approach for restricting software program execution.
The process used to identify software programs that are

authorized to execute on organizational information systems is
commonly referred to as whitelisting. In addition to whitelisting,
organizations consider verifying the integrity of white-listed
software programs using, for example, cryptographic
checksums, digital signatures, or hash functions. Verification of
white-listed software can occur either prior to execution or at
system startup.
Organizations may choose to implement centralized
information system component inventories that include
components from all organizational information systems. In
such situations, organizations ensure that the resulting
inventories include system-specific information required for
proper component accountability (e.g., information system
association, information system owner). Information deemed
necessary for effective accountability of information system
components includes, for example, hardware inventory
specifications, software license information, software version
numbers, component owners, and for networked components
or devices, machine names and network addresses. Inventory
specifications include, for example, manufacturer, device type,
model, serial number, and physical location.
Organizations maintain information system inventories to the

extent feasible. Virtual machines, for example, can be difficult
to
monitor
such machines
not visible
the
This
controlbecause
enhancement
is appliedare
in addition
to to
the
network
when
not
in
use.
In
such
cases,
organizations
maintain
monitoring for unauthorized remote connections and mobile
as
up-to-date,
complete,
and
accurate
an
inventory
as
is may
devices. Monitoring for unauthorized system components
deemed
reasonable.
This
control
enhancement
can
be
satisfied
be accomplished on an ongoing basis or by the periodic
by
the implementation
CM-2
(2) for Automated
organizations
that
scanning
of systems forofthat
purpose.
mechanisms
choose
to
combine
information
system
component
inventory
can be implemented within information systems or in other
and
baseline
configuration
separate
devices.
Isolation activities.
can be achieved, for example, by
Identifying
individualsinformation
who are both
responsible
and in
placing unauthorized
system
components
accountable
for administering
information
components
separate domains
or subnets or
otherwise system
quarantining
such
helps
to ensure
that
theofassigned
components
are
properly
components.
This
type
component
isolation is
commonly
administered
organizations can contact those individuals if
referred to as and
sandboxing.
some action is required (e.g., component is determined to be
the source of a breach/compromise, component needs to be
recalled/replaced, or component needs to be relocated).
This control enhancement addresses the potential problem of

duplicate accounting of information system components in
large
or complex
interconnected
systems.
This control
enhancement
focuses
on configuration settings
established by organizations for information system
components,
specific
that
have been assessed
Organizationsthe
may
choosecomponents
to implement
centralized
to
determine
compliance
with
the
required
information system component inventories configuration
that include
settings,
andfrom
any approved
deviations
from established
components
all
organizational
information
systems.of
The
use of automated
mechanisms to track the location
configuration
settings.
Centralized
of information
systemthe
component
information repositories
system components
can increase
accuracy of
inventories
provide
opportunities
for
efficiencies
in
accounting
component
inventories.
Such
capability
may
also
help
Organizations
determine
the software,
criteria for
or types
of information
for
organizational
hardware,
and
firmware
assets.
organizations
rapidly(e.g.,
identify
the location and
responsible
system
components
microprocessors,
motherboards,
Such
repositories
may
also
help
organizations
rapidly
identify
individuals
of system components
that have
been
software,
programmable
logicindividuals
controllers,
and
network
devices)
the
location
and
responsible
of
system
components
compromised,
breached,
or areenhancement.
otherwise in need of mitigation
that
are
subject
to
this
control
that
have been compromised, breached, or are otherwise in
actions.
need of mitigation actions. Organizations ensure that the
resulting centralized inventories include system-specific
information required for proper component accountability (e.g.,
Configuration
management
plans
satisfy the system
requirements
information system
association,
information
owner).in
configuration management policies while being tailored to
individual information systems. Such plans define detailed
processes and procedures for how configuration management
is used to support system development life cycle activities at
the information system level. Configuration management plans
are typically developed during the development/acquisition
phase of the system development life cycle. The plans describe
how to move changes through change management processes,
how to update configuration settings and baselines, how to
maintain information system component inventories, how to
control development, test, and operational environments, and
In
the
dedicated
management teams
how
toabsence
develop,ofrelease,
andconfiguration
update key documents.
assigned
within
organizations,
system
developers
may
be
Organizations can employ templates to help ensure
consistent
tasked
to
develop
configuration
management
processes
using
Software
license
trackingand
can implementation
be accomplishedofby
manual
and timely
development
configuration
personnel
who
are
not
directly
involved
in
system
development
methods
(e.g.,plans.
simple
spreadsheets)
or automated
methods
management
Such
templates can
represent a
master
or
integration.
This
separation
offor
duties
ensures that
(e.g.,
specialized
tracking
applications)
onat large
configuration
management
plan
the depending
organization
organizations
establish
maintain aon
sufficient
degree
of
organizational
needs.
with subsets of
the planand
implemented
a system
by system
independence
between
the
information
system
development
basis. Configuration management approval processes include
and
integration
processes
and configuration
designation
of key
management
stakeholdersmanagement
responsible for
processes
to facilitate
quality
control
and more
effective
reviewing and
approving
proposed
changes
to information
oversight.
systems, and personnel that conduct security impact analyses
prior to the implementation of changes to the systems.
Configuration
items are
the information
items
Open source software
refers
to software system
that is available
in
(hardware,
software,
firmware,
and
documentation)
to
be
source code form. Certain software rights normally reserved for
configuration-managed.
As information
systems
continuelicense
copyright
holders
are routinely
provided
under
software
If
provided
the
necessary
privileges,
users
have
the
ability to
through
the
system
development
life
cycle,
new
configuration
agreements
thatinpermit
individuals
to study, systems.
change,
and
install
software
organizational
information
To items
items
may
besoftware.
identified
andasome
existing
configuration
improve
the
From
security
perspective,
the
major
maintain
control
over
the
types
of
software
installed,
may no longer
needsource
to be under
configuration
control.
advantage
of
open
software
is
that
it
provides
organizations identify permitted and prohibited actions
organizations
with the
ability to Permitted
examine the
sourceinstallations
code.
regarding software
installation.
software
However,
there
are
also
various
licensing
issues
associated
may include, for example, updates and security patches to
with
open
source and
software
including,
for example,
the
existing
software
downloading
applications
from
constraints
on
derivative
use
of
such
software.
organization-approved app stores. Prohibited software
installations may include, for example, software with unknown
or suspect pedigrees or software that organizations consider
potentially malicious. The policies organizations select
governing user-installed software may be organizationdeveloped or provided by some external entity. Policy
enforcement methods include procedural methods (e.g.,
periodic examination of user accounts), automated methods
Privileged status can be obtained, for example, by serving in

the role of system administrator.
security controls and control enhancements in the CP family.
Contingency planning for information systems is part of an
overall organizational program for achieving continuity of
operations for mission/business functions. Contingency
planning addresses both information system restoration and
implementation of alternative mission/business processes
when systems are compromised. The effectiveness of
contingency planning is maximized by considering such
planning throughout the phases of the system development life
cycle. Performing contingency planning on hardware, software,
and firmware development can be an effective means of
achieving information system resiliency. Contingency plans
reflect the degree of restoration required for organizational
information systems since not all systems may need to fully
recover to achieve the level of continuity of operations desired.
Information system recovery objectives reflect applicable laws,
Executive Orders, directives, policies, standards, regulations,
and guidelines. In addition to information system availability,
contingency plans also address other security-related events
resulting in a reduction in mission and/or business
effectiveness, such as malicious attacks compromising the
confidentiality or integrity of information systems. Actions
addressed in contingency plans include, for example,
orderly/graceful degradation, information system shutdown,
fallback to a manual mode, alternate information flows, and
operating in modes reserved for when systems are under
attack. By closely coordinating contingency planning with
incident handling activities, organizations can ensure that the
necessary contingency planning activities are in place and
activated in the event of a security incident.
Plans related to contingency plans for organizational

information systems include, for example, Business Continuity
Plans,
Disaster
Recovery
Plans,
Continuity
of Operations
Plans,
Capacity
planning
is needed
because
different
types of threats
Crisis
Communications
Plans,
Critical
Infrastructure
Plans,
(e.g., natural disasters, targeted cyber attacks) can result in a
Cyber
Incident
Response
Plans,
Insidertelecommunications,
Threat Implementation
reduction
of the
available
processing,
and
Organizations
may
choose
to carry
out the contingency
Plan,
and
Occupant
Emergency
Plans.
support
originally
intended
to support the
planningservices
activities
in this control
enhancement
as part of
organizational
missions/business
functions.
Organizations
organizational
business
continuity
planning
including,
for may
Organizations
may degraded
choose tooperations
carry out the
contingency
need
to
anticipate
during
contingency
example,
as part ofinbusiness
impact
analyses. The
timeofperiod
planning
activities
this
control
enhancement
as part
operations
and of
factor
such
degradation
into capacity
planning.
for
resumption
essential
missions/business
functions
may be
organizational
business
continuity
planning
including, for
Organizations
may
choose
to
carry
out
the
contingency
dependent
on
the
severity/extent
of
disruptions
to
the
example,
as part ofinbusiness
impact
analyses. The
timeofperiod
planning
activities
thisits
control
enhancement
as part
information
system
and
supporting
infrastructure.
for
resumption business
of all missions/business
functions
may be
organizational
continuity
planning
including,
for
Organizations
may
choose
to carryof
out
the contingency
dependent
on
the
severity/extent
disruptions
to
the
example,
as
part
of
business
impact
analyses.
Primary
planning
activities
inand
thisits
control
enhancement
as part of
information
systemstorage
supporting
infrastructure.
processing
and/or
sites
defined
by organizations
as
organizational
business
continuity
planning
including,
for
When
the
capability planning
of an organization
to successfully
carry
out
part
of
contingency
may
change
depending
on
the
example,
as
part
of
business
impact
analyses.
Primary
its
core missions/business
functions
is dependent
on external
circumstances
associated
the
contingency
(e.g.,
backup
processing
and/or
storage with
sites
defined
by organizations
as
service
providers,
developing
a
timely
and
comprehensive
Organizations
may
choose
to
carry
out
the
contingency
sites
may
become
primary
sites).
part
of
contingency
planning
may
change
depending
on
the
contingency
plan may
become
more
challenging.
In
thisof
planning
activities
in this
control
enhancement
as
part
circumstances
associated
with the
contingency
(e.g.,
backup
situation,
organizations
coordinate
contingency
planning
organizational
business
continuity
planning including,
forto the
Contingency
training
provided
by
organizations
is
linked
sites
may
become
primary
sites).
activities
with
theofexternal
entities
toanalyses.
ensure that
the individual
example,
as
part
business
impact
Organizations
assigned
roles
and
responsibilities
of needs
organizational
personnel
plans
reflect
the
overall
contingency
ofthat
the additional
organization.
identify
critical
information
system
assets
to ensure
that the
appropriate
content
andso
level
of detail is
safeguards
and countermeasures
can be
employed
and
included in such
training. For example,
regular
users(above
may only
beyond
those
safeguards
and
countermeasures
routinely
need to know when and where to report for duty during
implemented)
to help ensure
organizational
contingency operations
and ifthat
normal
duties are affected;
missions/business
functions
can
continue
to betraining
conducted
system administrators may require additional
on how
during
contingency
operations.
In
addition,
the
identification
of
to set up information systems at alternate processing and
critical
information
assets
facilitates
the
prioritization
of
storage sites; and managers/senior leaders may receive more
organizational
resources.
information
system assets
specific training
on how toCritical
conduct
mission-essential
functions
include
technical
and
operational
aspects.
Technical
aspects
in designated off-site locations and how to establish
include,
for example,
technology
services,
communications
with information
other governmental
entities
for purposes
information
system
components,
information
technology
of coordination on contingency-related activities.
Training for
products,
androles/responsibilities
mechanisms. Operational
include,
for
contingency
reflectsaspects
the specific
continuity
example,
procedures
(manually
executed
operations)
and
Methods
for testing
requirements
in the contingency
contingency plans
plan. to determine the
personnel
(individuals
operating
technical
safeguards
and/or
effectiveness of the plans and to identify potential
weaknesses
executing
manual
procedures).
Organizational
program
in the plans include, for example, walk-through and tabletop
protection
plans can provide
assistance
in identifying
critical
exercises, checklists,
simulations
(parallel,
full interrupt),
and
assets.
comprehensive exercises. Organizations conduct testing based
on the continuity requirements in contingency plans and
include a determination of the effects on organizational
operations, assets, and individuals arising due to contingency
operations. Organizations have flexibility and discretion in the
breadth,
depth,
timelinesplans
of corrective
actions.
Plans related
to and
contingency
for organizational
information systems include, for example, Business Continuity
Plans, Disaster Recovery Plans, Continuity of Operations Plans,
Crisis Communications Plans, Critical Infrastructure Plans,
Cyber Incident Response Plans, and Occupant Emergency
Plans. This control enhancement does not require organizations
to create organizational elements to handle related plans or to
align such elements with specific plans. It does require,
however, that if such organizational elements are responsible
for related plans, organizations should coordinate with those
elements.
Automated mechanisms provide more thorough and effective

testing of contingency plans, for example: (i) by providing more
complete coverage of contingency issues; (ii) by selecting more
realistic test scenarios and environments; and (iii) by
effectively stressing the information system and supported
missions.
Alternate storage sites are sites that are geographically distinct
from primary storage sites. An alternate storage site maintains
duplicate copies of information and data in the event that the
primary storage site is not available. Items covered by
alternate storage site agreements include, for example,
environmental conditions at alternate sites, access rules,
physical and environmental protection requirements, and
Threats
that affect
alternate storage
sites are
typically
defined
coordination
of delivery/retrieval
of backup
media.
Alternate
in
organizational
assessments
of risk and
include, for plans
example,
storage
sites reflect
the requirements
in contingency
so
natural
disasters, structural
failures,
hostile
cyber attacks, and
that organizations
can maintain
essential
missions/business
errors
of omission/commission.
Organizations
determine
functions
despite disruption, compromise,
or failure
in what
is
considered ainformation
sufficient degree
of separation between primary
organizational
systems.
Area-wide
disruptions
refer based
to those
of disruptions
and alternate
storage sites
ontypes
the types
of threatsthat
that
are
broad
in
geographic
scope
(e.g.,
hurricane,
regional
power
are of concern. For one particular type of threat (i.e., hostile
outage)
with
such
determinations
by organizations
based
Alternate
processing
sites of
are
sitesmade
that between
are
geographically
cyber attack),
the degree
separation
sites is less
on
organizational
assessments
of
risk.
Explicit
mitigation
distinct
relevant.from primary processing sites. An alternate processing
actions
include,
for example:
(i) duplicating
backup
site provides
processing
capability
in the event
that information
the
at
other
alternate
storage
sites
if
access
problems
occur
primary processing site is not available. Items covered
byat
originally
designated site
alternate
sites; or
(ii) planning
for
alternate processing
agreements
include,
for example,
physical
access
to
retrieve
backup
information
if
electronic
environmental conditions at alternate sites, access rules,
accessibility
the alternateprotection
site is disrupted.
physical and to
environmental
requirements, and
coordination for the transfer/assignment of personnel.
Requirements are specifically allocated to alternate processing
sites
that
reflect
the
requirements
in contingency
plans to
Threats
that
affect
alternate
processing
sites are typically
maintain
essential
missions/business
functions
despite
defined in organizational assessments of risk and include, for
disruption,
compromise,
or failure
in organizational
information
example,
natural
disasters,
structural
failures,
hostile
cyber
Area-wide
disruptions
refer
to
those
types
of
disruptions
that
systems.
attacks,
and
errors
of
omission/commission.
Organizations
are broad in geographic scope (e.g., hurricane, regional power
determine
what
is determinations
considered a sufficient
degree
of separation
outage)
with
such
made
by
organizations
based
Priority-of-service
agreements
refer
to negotiated
agreements
between
primary
and
alternate
processing
sites
based
on the
on
organizational
assessments
of
risk.
with
providers
that
that
typesservice
of threats
that are
of ensure
concern.
Fororganizations
one particularreceive
type of
priority
treatment
consistent
with
their
availability
Site
preparation
includes,
for example,
establishing
threat
(i.e., hostile
cyber attack),
the degree
of separation
requirements
and
therelevant.
availability
of information
resources at
configuration
for information
system components
at
between sitessettings
is less
the
the alternate
alternate processing
processing site.
site consistent with the requirements
for such settings at the primary site and ensuring that essential
supplies and other logistical considerations are in place.
This control applies to telecommunications services (data and
voice) for primary and alternate processing and storage sites.
Alternate
telecommunications
services
reflect the continuity
Organizations
consider the potential
mission/business
impact in
requirements
in
contingency
plans
to
maintain
essential
situations where telecommunications service providers are
missions/business
functions despite
the loss
of primary
servicing other organizations
with similar
priority-of-service
telecommunications
services.
Organizations
may
specify
provisions.
different time periods for primary/alternate sites. Alternate
telecommunications services include, for example, additional
organizational or commercial ground-based circuits/lines or
satellites in lieu of ground-based communications.
Threats that affect telecommunications services are typically

defined in organizational assessments of risk and include, for
example,
disasters,
structural
Reviews ofnatural
provider
contingency
plansfailures,
considerhostile
the proprietary
cyber/physical
attacks,
and
errors
of
omission/commission.
nature of such plans. In some situations, a summary of provider
Organizations
seekmay
to reduce
common
susceptibilities
by, for
contingency plans
be sufficient
evidence
for organizations
example,
minimizing
shared
infrastructure
among
to satisfy the review requirement. Telecommunications service
telecommunications
service providers
anddisaster
achieving
sufficient
providers may also participate
in ongoing
recovery
geographic
separation
between
services.
Organizations
may
exercises in coordination with the Department of Homeland
consider
using
a
single
service
provider
in
situations
where
the
Security, state, and local governments. Organizations may use
service
provider
can
provide
alternate
telecommunications
these types of activities to satisfy evidentiary requirements
services
separation
needs addressed
in the
risk
related tomeeting
service the
provider
contingency
plan reviews,
testing,
assessment.
and training.
System-level information includes, for example, system-state
information, operating system and application software, and
licenses. User-level information includes any information other
than system-level information. Mechanisms employed by
organizations to protect the integrity of information system
backups include, for example, digital signatures and
cryptographic hashes. Protection of system backup information
while in transit is beyond the scope of this control. Information
system backups reflect the requirements in contingency plans
as well as other organizational requirements for backing up
information.
Critical information system software includes, for example,

operating systems, cryptographic key management systems,
and intrusion detection/prevention systems. Security-related
information includes, for example, organizational inventories of
hardware, software, and firmware components. Alternate
Information
backup
be transferred
to
storage sitessystem
typically
serveinformation
as separatecan
storage
facilities for
alternate
storage
sites
either
electronically
or
by
physical
organizations.
shipment of storage media.
Dual authorization ensures that the deletion or destruction of
backup information cannot occur unless two qualified
individuals
out the
task. Individuals
Recovery iscarry
executing
information
systemdeleting/destroying
contingency plan
backup
information
possess
sufficient
skills/expertise
to
activities to restore organizational missions/business functions.
determine
if the
proposed
of backup
Reconstitution
takes
place deletion/destruction
following recovery and
includes
information
reflects
organizational
policies
and
procedures.
activities for returning organizational information
systems to
Dual
authorization
may also
be known
as two-personoperations
control.
fully operational
states.
Recovery
and reconstitution
reflect mission and business priorities, recovery point/time and
reconstitution objectives, and established organizational
metrics consistent with contingency plan requirements.
Transaction-based information systems include, for example,

database management systems and transaction processing
systems. Mechanisms supporting transaction recovery include,
for example, transaction rollback and transaction journaling.
Restoration of information system components includes, for
example, reimaging which restores components to known,
operational states.
Protection of backup and restoration hardware, firmware, and
software components includes both physical and technical
safeguards.
andthe
restoration
software
includes,
for for
ContingencyBackup
plans and
associated
training
and testing
example,
router
tables,
compilers,
and
other
security-relevant
those plans, incorporate an alternate communications protocol
system
software.
capability
as part
of increasing
the resilience
of organizational
For information
systems
supporting
critical missions/business
information
systems.
Alternate
communications
protocols
functions including, for example, military operations
and
include,
for
example,
switching
from
Transmission
Control
weapons
systems,
civilian
space
operations,
nuclear
power
This
control supports
information
system
resiliency
and
Protocol/Internet
Protocol
(TCP/IP)
Version
4 to TCP/IP
Version 6.
plant
operations,
and
air
traffic
control
operations
(especially
contingency
planning/continuity
of operations.
Tosoftware
ensure
Switching
communications
protocols
may
affect
real-time
operational
environments),
organizations
may choose
mission/business
continuity,
organizations
can
implement
This
controlcertain
addresses
the establishment
of
policy
and
applications
and therefore,
the
potential
side
effects
of revert
to
identify
conditions
under
which
those
systems
alternative
or
supplemental
security
mechanisms.
These
procedures
for
the
effective
of selected
introducing
alternate
communications
protocols
are
analyzed
to
a predefined
safe
ofimplementation
operation.
The primary
safe
mode
of
mechanisms
may
bemode
less
effective
than the
security
controls
and
control
enhancements
in
the
IA
family.
prior
to
implementation.
operation,
which
can
be
activated
automatically
or
manually,
mechanisms
(e.g., not reflect
as easyapplicable
to use, not
as scalable,
or not as
Policy
and
procedures
federal
laws, Executive
restricts
the
types having
of activities
or operations
information
secure).
However,
the
capability
to
readily
employ
Orders,
directives,
regulations,
policies,
standards,
and
systems
could execute
when those
conditions
are encountered.
these
alternative/supplemental
mechanisms
enhances
overall
guidance.
Security
program
policies
and
procedures
at the
Restriction
includes,
for
example,
allowing
only
certain
mission/business
continuity
that
might
otherwise
be adversely
organization
level
may
the
need
for
system-specific
functions
that
could
be make
carried
out
under
limited
power oruntil
with
impacted
if
organizational
operations
had
to
be
curtailed
policies
and
procedures unnecessary.
The policy can be
reduced
communications
bandwidth.
the
primary
means
of implementing
the functions
was
restored.
included
as part
of the
general information
security
policy
for
Given
the
cost
and
level
of
effort
required
to
provide
such
alternative
capabilities,
this control
would
typically
be applied
policies reflecting
the complex
nature
of certain
organizations.
only
to
critical
security
capabilities
provided
by
information
systems,
system
components,
or information
system
services.
general and
for particular
information
systems,
if needed.
The
For
example,
an
organization
may
issue
to
senior
executives
and
system administrators
one-time pads in case multifactor
establishing
policy and procedures.
tokens, the organizations standard means for secure remote
authentication, is compromised.
Organizational users include employees or individuals that
organizations deem to have equivalent status of employees
(e.g., contractors, guest researchers). This control applies to all
accesses other than: (i) accesses that are explicitly identified
and documented in AC-14; and (ii) accesses that occur through
authorized use of group authenticators without individual
authentication. Organizations may require unique identification
of individuals in group accounts (e.g., shared privilege
accounts) or for detailed accountability of individual activity.
Organizations employ passwords, tokens, or biometrics to
authenticate user identities, or in the case multifactor
authentication, or some combination thereof. Access to
Requiring
individuals
to usesystems
individual
authenticators
aslocal
a
organizational
information
is defined
as either
second
level
of authentication
helps
organizations
to mitigate
access or
network
access. Local
access
is any access
to
the
risk
of
using
group
authenticators.
organizational information systems by users (or processes
acting on behalf of users) where such access is obtained by
direct connections without the use of networks. Network access
is access to organizational information systems by users (or
processes acting on behalf of users) where such access is
obtained through network connections (i.e., nonlocal accesses).
Authentication processes resist replay attacks if it is impractical

to achieve successful authentications by replaying previous
authentication
Replay-resistant
techniques
include,
Authentication messages.
processes resist
replay attacks
if it is impractical
for
example,
protocolsauthentications
that use noncesby
orrecording/replaying
challenges such as
to achieve
successful
Transport
Layer
Security
(TLS)
and
time
synchronous
or
previous
authentication
messages.
Single
sign-on
enables
users
to
log Replay-resistant
in once and gain techniques
access to
challenge-response
one-time
authenticators.
include,
example,system
protocols
that useOrganizations
nonces or challenges
multiple for
information
resources.
consider
such
as
Transport
Layer
Security
(TLS)
and
time
synchronous or
the
operational
efficiencies
provided
by
single
sign-on
For
remote access toone-time
privileged/non-privileged
accounts, the
challenge-response
authenticators.
capabilities
with
the
increased
risk
from
disclosures
of single
purpose of requiring a device that is separate from the
authenticators
providing
access
to multiple
system
resources.
information
gaining
access
for
one of
the factors
during
This control system
enhancement
applies
to
organizations
multifactor
authentication
is
to
reduce
the
likelihood
of
implementing logical access control systems (LACS) and
compromising
authentication
credentials
stored on
the system.
physical
access
control systems
(PACS).
Personal
Identity
Out-of-band
authentication
(OOBA)
refers
to the
use
of two
For
example,
adversaries
deploying
malicious
code
on
Verification
(PIV)
credentials
are
those
credentials
issued
by
separate
communication
paths
to identify
and authenticate
organizational
information
systems
can
potentially
compromise
federal
that
to FIPS
Publication
201
and(i.e.,
users
oragencies
devices
to
anconform
information
system.
The
first
path
Organizational
devices
requiring
unique
device-to-device
such
credentials
resident
on the system
and
subsequently
supporting
guidance
documents.
OMB
Memorandum
11-11
the
in-band path),
is used
to identify
authenticate
users
identification
and
authentication
mayand
be defined
by the
type,
by or
impersonate
authorized
users.
requires
federal
agencies
to continue
implementing
devices,
and
generally
is
the
path
through
which
information
device,
or by aspecified
combination
of type/device.
Information
A
localThe
connection
is any
connection
a device
requirements
in
HSPD-12
towith
enable
agency-wide
use
flows.
seconduse
path
(i.e.,
the out-of-band
path)
is used
to
systems
typically
either
shared
known
information
(e.g.,
communicating
without
the
use of a network.
Arequested
network
of
PIV credentials.
independently
verify
the
authentication
and/or
Media
Access
Control
[MAC]
orwith
Transmission
Control
connection
is
any
connection
a
device
that
communicates
action.
For example,
a user
authenticates
via for
a notebook
Protocol/Internet
Protocol
[TCP/IP]
addresses)
device
through
a
network
(e.g.,
local
area
or
wide
area
network,
computer
to aorremote
server toauthentication
which the usersolutions
desires access,
identification
organizational
Internet).
A remote
connection
any connection
with a (e.g.,
device
and
requests
some
action
ofAuthentication
theisleases
server
viaIP
that
communication
DHCP-enabled
clients
obtaining
for
addresses
from
IEEE
802.1x
and
Extensible
Protocol
[EAP],
communicating
through
an
external
network
(e.g.,
the
path.
Subsequently,
the server
contacts
the user
via the
DHCP
servers,
is a typical
example
of dynamic
address
Radius
server
with
EAP-Transport
Layer
Security
[TLS]
Internet).
Bidirectional
authentication
provides
stronger
users
cell
phone
to
verify
that
the
requested
action
allocation
for
authentication,
Kerberos)
to
identify/authenticate
devices
safeguards
todevices.
validate
theThe
identity
of other
devices
forthe on
originated
from
the
user.
userOrganizations
may
either
confirm
local
and/or
wide
area
networks.
determine
the
connections
thattoare
of
greater risk
(e.g.,
remote connections).
intended
action
anauthentication
individual
on the
telephone
orthe
provide
an
required strength
of
mechanisms
by
security
authentication
code
via
the
telephone.
This
type
of
categories of information systems. Because of the challenges
authentication
be employed
by organizations
to mitigate
of applying thiscan
control
on large scale,
organizations
are
actual
or
suspected
man-in
the-middle
attacks.
The
conditions
Device
attestation
the
identification
encouraged
to onlyrefers
applyto
the
control
to thoseand
limited
number
for
activation
can
for
example,
suspicious
activities,
authentication
of ainclude,
device
based
on its
and
(and
type) of devices
that truly
need
to configuration
support this
capability.
new
threat
indicators
orThis
elevated
levels, or via
the some
impact
known
operating
state.
mightthreat
be
determined
Common
device
identifiers
include,
for
example,
media
level or classification
level
of information
inattestation
requested isaccess
cryptographic
hash
of
the
device.
If
device
control
(MAC), Internet protocol (IP) addresses, or device-the
transactions.
means
identification
authentication,
then it isidentifiers
importantis
unique of
token
identifiers.and
Management
of individual
that
patches
and
updates
to
the
device
are
handled
via
a
not applicable to shared information system accounts (e.g.,
configuration
management
process
such
that
the
those
guest and anonymous accounts). Typically, individual identifiers
patches/updates
areofdone
securely andsystem
at the accounts
same time do
are the user names
the information
not
disrupt
identification
authentication
assigned
tothe
those
individuals.and
In such
instances, to
theother
account
devices.
management activities of AC-2 use account names provided by
IA-4. This control also addresses individual identifiers not
necessarily associated with information system accounts (e.g.,
identifiers used in physical security control databases accessed
by badge reader systems for access to information systems).
Preventing reuse of identifiers implies preventing the
assignment of previously used individual, group, role, or device
Prohibiting
the
use of information
account
identifiers
identifiers to
different
individuals, systems
groups, roles,
or devices.
that are the same as some public identifier such as the
individual identifier section of an electronic mail address,
makes it more difficult for adversaries to guess user identifiers
on organizational information systems.
Requiring multiple forms of identification, such as documentary

evidence or a combination of documents and biometrics,
reduces
the likelihood
of individuals
fraudulent
Characteristics
identifying
the statususing
of individuals
include, for
identification
to
establish
an
identity,
or
at
increases
example, contractors and foreign nationals.least
Identifying
thethe
work
factor
of
potential
adversaries.
status
of individuals
by specific
characteristics
provides which
In contrast
to conventional
approaches
to identification
additional
information
about
the people with
whom
presume static
accounts
for preregistered
users,
many
organizational
personnel
are
communicating.
For
example, it
distributed
information
systems
including,
for
example,
Cross-organization
identifier
management
provides
the
might
be
useful
for
a
government
employee
to
know
that one
service-oriented
architectures,
rely on establishing
identifiers
capability
for
organizations
to
appropriately
identify
individuals,
of
the
individuals
on
an
email
message
is
a
contractor.
at
run time
foror
entities
that
were
previouslycross-organization
unknown. In these
groups,
roles,
devices
when
conducting
In-person
registration
reduces
the
likelihood
of fraudulent
situations,
organizations
anticipate
and
provision
for the
activities
involving
the
processing,
storage,
or
transmission
of
identifiers
being
issued
because
it
requires
the
physical
dynamic
establishment
of
identifiers.
Preestablished
trust
information.
presence
of
individuals
and
actual
face-to-face
interactions
Individual
authenticators
include,
for
example, passwords,
relationships
and mechanisms
with
appropriate
authorities to
with
designated
registration
authorities.
tokens,
PKI related
certificates,
and key
cards.
Initial
validatebiometrics,
identities and
credentials
are
essential.
authenticator content is the actual content (e.g., the initial
password) as opposed to requirements about authenticator
content (e.g., minimum password length). In many cases,
developers ship information system components with factory
default authentication credentials to allow for initial installation
and configuration. Default authentication credentials are often
well known, easily discoverable, and present a significant
security risk. The requirement to protect individual
authenticators may be implemented via control PL-4 or PS-6 for
authenticators in the possession of individuals and by controls
AC-3, AC-6, and SC-28 for authenticators stored within
organizational information systems (e.g., passwords stored in
hashed or encrypted formats, files containing encrypted or
hashed passwords accessible with administrator privileges).
Information systems support individual authenticator
management by organization-defined settings and restrictions
for various authenticator characteristics including, for example,
minimum password length, password composition, validation
time window for time synchronous one-time tokens, and
number of allowed rejections during the verification stage of
biometric authentication. Specific actions that can be taken to
safeguard authenticators include, for example, maintaining
possession of individual authenticators, not loaning or sharing
individual authenticators with others, and reporting lost, stolen,
This
control enhancement
applies
to single-factor
or compromised
authenticators
immediately.
Authenticator
authentication
of individuals
passwordswhen
as individual
management includes
issuingusing
and revoking,
no longeror
group
authenticators,
and
in
a
similar
manner,
when
needed, authenticators for temporary access such aspasswords
that
are
part of
authenticators.
Thisauthenticators
control
required
formultifactor
remote maintenance.
Device
enhancement
does not
apply when
passwords
are used to
include, for example,
certificates
and
passwords.
unlock hardware authenticators (e.g., Personal Identity
Verification cards). The implementation of such password
mechanisms may not meet all of the requirements in the
enhancement. Cryptographically-protected passwords include,
for example, encrypted versions of passwords and one-way
cryptographic hashes of passwords. The number of changed
characters refers to the number of changes required with
respect to the total number of positions in the current
password. Password lifetime restrictions do not apply to
temporary passwords. To mitigate certain brute force attacks
against passwords, organizations may also consider salting
passwords.
Status information for certification paths includes, for example,

certificate revocation lists or certificate status protocol
responses. For PIV cards, validation of certifications involves
the construction and verification of a certification path to the
Common Policy Root trust anchor including certificate policy
processing.
This control enhancement focuses on the creation of strong

passwords and the characteristics of such passwords (e.g.,
complexity)
prior to use, the
enforcement
of which isfor
carried
extends
the requirement
out
by
organizational
information
systems
in
IA-5
(1).
organizations to change default authenticators upon
information
system
installation,
by requiring
developers
and/or
For information
systems
containing
multiple security
categories
installers
to
provide
unique
authenticators
or
change
default
of information without reliable physical or logical separation
authenticators
for system
components
prior
to delivery
between
categories,
authenticators
used
to grant
accessand/or
to the
Organizations
exercise
caution
in does
determining
whether
installation.
However,
it
typically
not
apply
to
the security
systems
are
protected
commensurate
with
the
highest
embedded
or stored
authenticators
are ininformation
encrypted or
developers
commercial
category
of of
information
onoff-the-shelve
the systems.
unencrypted
form.
If
authenticators
are
used
inauthenticators
the manner
When
individuals
haveRequirements
accounts on multiple
information
technology
products.
for unique
stored,
then
those
representations
are
considered
unencrypted
systems,
there isinthe
risk that documents
the compromise
of one
can be included
acquisition
prepared
byaccount
authenticators.
This
is
irrespective
of
whether
that
may
lead
to
the
compromise
of
other
accounts
if
individuals
organizations
when
procuring
information
systems
or
system
Cross-organization
management
of credentials
provides
the
representation
is
perhaps
an
encrypted
version
of
something
use
the
same
authenticators.
Possible
alternatives
include,
components.
capability
for
organizations to appropriately authenticate for
else
(e.g.,
a
password).
example:
(i)groups,
having different
authenticators
on all systems;
(ii)
individuals,
roles,
or devices
conducting
crossAuthentication
requires
some
form
ofwhen
binding
between
an
employing
some
form
of
single
sign-on
mechanism;
or
(iii)
organization
activities
involving
the to
processing,
storage,
or In
identity
and
the
authenticator
used
confirm
identity.
including
some
form
of one-time
passwords
on the
all systems.
transmission
of
information.
conventional
approaches,
this binding typically
is established
Hardware token-based
authentication
refersby
to prethe use
provisioning
both
the
identity
and
the
authenticator
to
the
of PKI-based tokens, such as the U.S. Government Personal
information
system. (PIV)
For example,
the bindingdefine
between
a
Identity
Verification
card. Organizations
specific
Unlike
password-based
authentication
which
provides
exact is
username
(i.e.,
identity)
and
a
password
(i.e.,
authenticator)
requirements
for tokens,
such as working
a particular PKI.
matches
of user-input
passwords
storedwith
passwords,
accomplished
by provisioning
theto
identity
and
authenticator as
biometric
authentication
does notNew
provide
such exact matches.
a pair in the
information system.
authentication
Depending
upon
the
type
of
biometric
and
the typeand
of the
techniques allow the binding between the identity
collection
mechanism,
there is likely
to bean
some
divergence
authenticator
to be implemented
outside
information
from
the
presented
biometric
and
stored
biometric
which
system. For example, with smartcard credentials, the
identity
serves
as
the
basis
of
comparison.
There
will
likely
be
and the authenticator are bound together on the card.both
Using
Federal
Identity,
Credential,
and
Access
Management
false
and
false negatives
whencan
making
such (FICAM)thesepositives
credentials,
information
systems
authenticate
approved
pathThe
discovery
and
validation
andfalse
services
comparisons.
rate
which
the falseproducts
accept
and
identities that
have
notatbeen
pre-provisioned,
dynamically
are
those
products
and
services
that
have
been
approved
reject
rates
are
equal
is
known
as
the
crossover
rate.
Biometric
The
feedbackthe
from
information
systems does not
provide
provisioning
identity
after authentication.
In these
through
theorganizations
FICAM
conformance
applicable.
quality
requirements
include,
for program,
example,
acceptable
information
that
would
allow
individuals
to
situations,
can unauthorized
anticipate
thewhere
dynamic
crossover
rates,
as that essentially
reflects
the
accuracy
of
compromise
authentication
mechanisms.
For
some
types
ofthe
provisioning
of
identities.
Preestablished
trust
relationships
and
Authentication
mechanisms may be required within a
biometric.
information
systems
or
system
components,
for
example,
mechanisms
appropriate
authorities
to validate
identities
cryptographicwith
module
to authenticate
an operator
accessing
desktops/notebooks
with
relatively
large
monitors,
the
and
related
credentials
are
essential.
the module and to verify that the operator is authorizedthreat
to
(often
referred
to as shoulder
surfing)
may
be significant.
For
assume
the requested
role and
perform
services
within that
other
types
of
systems
or
components,
for
example,
mobile
role.
devices with 2-4 inch screens, this threat may be less
significant, and may need to be balanced against the increased
likelihood of typographic input errors due to the small
Non-organizational users include information system users

other than organizational users explicitly covered by IA-2.
These
individuals
are uniquely
identified
andaccess
authenticated
This control
enhancement
applies
to logical
control for
accesses
other than
those accesses
identified
and
systems (LACS)
and physical
access explicitly
control systems
(PACS).
documented
in
AC-14.
In
accordance
with
the
E-Authentication
Personal
Identity
Verification
(PIV) credentials
are those
This
control
enhancement
typically
applies
to organizational
E-Government
initiative,
authentication
of non-organizational
credentials
issued
by
federal
agencies
that
conform
to FIPS
information
systems
thatinformation
are accessible
to the
general
public,
users
accessing
federal
systems
may
be required
Publication
201
and
supporting
guidance
documents.
OMB are
for
example,
public-facing
websites.
Third-party
credentials
This
control
enhancement
typically
applies
to information
to
protect
federal,
proprietary,
or privacy-related
Memorandum
11-11
requires
federal
agencies
to information
continue
those
credentials
issued
by
nonfederal
government
entities
systems
that
are
accessible
to
the
general
public,
for
example,
(with
exceptions
noted
for
national
security
systems).
implementing
theFederal
requirements
specified
in HSPD-12
to enable
approved
by
the
Identity,
Credential,
and
Access
public-facing
websites.
FICAM-approved
information
system
Organizations
use
risk
assessments
to
determine
This
control
enhancement
addresses
open
identity
agency-wide
use
of
PIV
credentials.
Management
(FICAM)
Trust
Framework
Solutions
initiative. and
components
include,
example,
information
technology
authentication
needs for
and
consider
scalability,
practicality,
management
standards.
To
ensure
that
these
standards
are
Approved
third-party
credentials
meet
or
exceed
the for
set access
of
products
and
software
libraries
that
haveease
beenofapproved
by the
security
in
balancing
the
need to
ensure
use
viable,
robust,
reliable,
sustainable
(e.g.,
available
in
This
control
enhancement:
(i)
applies
to
logical
and
physical
minimum
federal
government-wide
technical,
security,
privacy,
Federal
Identity,
Credential,
and
Access
Management
to federal information
and
information
systemsand
with the need
commercial
information
technology
products),
access
control
systems;
and
(ii) addresses
Non-Federal
Issuers
and
organizational
maturity
requirements.
This
allows federal
conformance
program.
to
protect
and
adequately
mitigate
risk.
IA-2
addresses
interoperable
as documented,
the United
States Government
(NFIs)
of
identity
cards
that
desire
to
interoperate
with
United
government
relying
parties
to
trust
such
credentials
at
their
This
control
supports
service-oriented
architectures
and
other
identification
and
authentication
requirements
for access
to
assesses
and
scopes
identity
management
standards
and
States
Government
Personal
Identity
Verification
(PIV)
approved
assurance
levels.
distributed
architectural
approaches
requiring
the
identification
information
systems
by
organizational
users.
technology
implementations
information
systemsofand
thatagainst
can system
be applicable
trusted
by federal
federal
and
authentication
information
services.
In such
legislation,
directives,
policies,
and
requirements.
The
result
is
government-relying
parties.
The
X.509
certificate
policy
for the
architectures,
external
services
often
appear
dynamically.
FICAM-issued
implementation
profiles(FBCA)
of approved
protocols
Federal
Bridge
Certification
Authority
addresses
PIV-I
Therefore,
information
systems
shouldsuch
be able
to determine
(e.g.,
FICAM
authentication
protocols
as
SAML
2.0
and 4in
For
distributed
architectures
(e.g.,
service-oriented
requirements.
The
PIV-I
card
is
suitable
for
Assurance
Level
a
dynamic
if
providers
andas
associated
OpenID
2.0,manner,
wellMemorandum
asexternal
other protocols
such
theSpecial
FICAM
architectures),
the
decisions
regarding
the
as
defined
inas
OMB
04-04
andvalidation
NIST
services
are
authentic.
Safeguards
implemented
by of
Backend
Attribute
Exchange).
identification
and
authentication
claims
may
beprovider
made
by
Publication
800-63,
and multifactor
authentication
as defined
Adversaries
may
compromise
individual
authentication
organizational
information
systems
to
validate
and in
services
separate
from
the
services
acting
on
those
decisions.
NIST
Special
Publication
800-116.
PIV-I credentials
are or
those
mechanisms
and subsequently
toinformation
impersonate
service
authenticity
include,
forattempt
example,
code
In
such
situations,
it
is
necessary
to
provide
the
identification
credentials
issued
by
a
PIV-I
provider
whose
PIV-I
certificate
legitimate
users.
This
situation
can
potentially
occur
with
any
signing,
provenance
graphs,
and/or
electronic
signatures
In
addition
totothe
requirements
associated
and
authentication
decisions
(as opposed
to the actual
policy
maps
there-authentication
Federal
Bridge
PIV-I
Certificate
Policy. To
A PIV-I
authentication
mechanisms
employed
by
organizations.
indicating
or
including
the
sources
of
services.
with
session
locks,
organizations
require another
re-authentication
identifiers
authenticators)
to may
the
services
need
provider
is and
cross-certified
(directly
or through
PKIto act
address
this
threat,
organizations
may
employthat
specific
of
individuals
and/or
devices
in
other
situations
including,
forand
This
control
addresses
the
establishment
of
policy
and
on
those
decisions.
bridge)
with
the
FBCA
with
policies
that
have
been
mapped
techniques/mechanisms
and establish
protocols
to assess
example:
(i)
when
authenticators
change;
(ii),
when
roles
procedures
for
the effective
implementation
selected
approved
as
meeting
the requirements
of theofPIV-I
policies
suspicious
behavior
(e.g.,
individuals
accessing
information
change;
(iii)
when
security
categories
of information
systems
security
controls
and
control
enhancements
in
the
IR
family.
defined
in
the
FBCA
certificate
policy.
that
they(iv),
do not
typically
access as
part
of their
normal
duties,
change;
when
the
execution
of
privileged
functions
occurs;
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
roles,
or
responsibilities,
accessing
greater
quantities
of
(v)
after
a
fixed
period
of
time;
or
(vi)
periodically.
Orders,
directives,
regulations,
standards,
and or
information
than the
individualspolicies,
would routinely
access,
guidance.
Security
program
policies
and
procedures
at the
attempting to access information from suspicious network
organization
may
make the
need
for system-specific
addresses). Inlevel
these
situations
when
certain
preestablished
policies
and
procedures
unnecessary.
The
can beselected
conditions or triggers occur, organizations policy
can require
included
as
part
of
the
general
information
security
policy for
individuals to provide additional authentication information.
organizations
or
conversely,
can
be
represented
by
multiple
Another potential use for adaptive identification and
policies
reflecting
the
complex
nature
of certain
organizations.
authentication
is to
increase
the
strength
of mechanism
based
The
procedures
can
be
established
for
the
security
program in
on the number and/or types of records being accessed.
Incident response training provided by organizations is linked
to the assigned roles and responsibilities of organizational
personnel to ensure the appropriate content and level of detail
is included in such training. For example, regular users may
only need to know who to call or how to recognize an incident
on the information system; system administrators may require
additional training on how to handle/remediate incidents; and
incident responders may receive more specific training on
forensics, reporting, system recovery, and restoration. Incident
response training includes user training in the identification
and reporting of suspicious activities, both from external and
internal sources.
Organizations test incident response capabilities to determine

the overall effectiveness of the capabilities and to identify
potential
weaknesses
or deficiencies.
Incident
response
testing
Organizations
use automated
mechanisms
to more
thoroughly
includes,
for example,
the use
of checklists,
walk-through
or
and effectively
test incident
response
capabilities,
for example:
tabletop
exercises,
simulations
(parallel/full
interrupt),
and
(i)
by providingplans
more related
complete
coverageresponse
of incident
response
Organizational
to incident
testing
comprehensive
exercises.
Incident
response
testing
can also
issues;
(ii)
by
selecting
more
realistic
test
scenarios
and
test
include,
example, Business
Continuity
Plans, Contingency
include
afor
determination
ofstressing
the effects
onresponse
organizational
environments;
and
(iii)
by
the
capability.
Plans,
Disaster
Recovery
Plans,
Continuity
of Operations
Organizations
recognize
that
response
capabilityPlans,
is
operations
(e.g.,
reduction
in incident
mission
capabilities),
Crisis
Communications
Plans,
Critical
Infrastructure
Plans,
and
dependent
on the
capabilities
of organizational
information
organizational
assets,
and individuals
due to incident
response.
Occupant
Emergency
Plans.
systems and
the mission/business
processes being supported
by those systems. Therefore, organizations consider incident
response as part of the definition, design, and development of
mission/business processes and information systems. Incidentrelated information can be obtained from a variety of sources
including, for example, audit monitoring, network monitoring,
physical access monitoring, user/administrator reports, and
reported
supply
chain events.
Effective
incident
handling
Automated
mechanisms
supporting
incident
handling
capability
coordination
amongincident
many organizational
processes includes
include, for
example, online
management
entities
including,
for
example,
mission/business
owners,
systems.
Dynamic
reconfiguration
includes,
for example,
information
system owners,
authorizing
officials,changes
human to
router
rules,
access
controland
lists,
intrusionsecurity
detection/prevention
resources
offices,
physical
personnel
offices, legal
system
parameters,
and
filter
rules
for
firewalls
and
gateways.
Classes
of incidents
include,
for example,
malfunctions
due
to
departments,
operations
personnel,
procurement
offices,
and
Organizations
perform
dynamic
reconfiguration
of
information
design/implementation
errors and omissions, targeted
the risk executive (function).
systems,
for
example,
to
stop attacks,
to misdirect
attackers,
malicious
attacks,
and
untargeted
malicious
attacks.
Sometimes
thecomponents
nature of a of
threat
event,
for limiting
example,
a hostile
and
to
isolate
systems,
thus
the
extent
Appropriate
incident
response
actions
include,
for by
example,
cyber
attack,
is
such
that
it
can
only
be
observed
bringing
of
the
damage
from
breaches
or
compromises.
Organizations
graceful
degradation,
information
system
shutdown,
back
together
information
from
differentthe
sources
includingfall
various
include
time
frames for
achieving
reconfiguration
of
to
manual
mode/alternative
technology
whereby
the
system
reports
and reporting
established
by organizations.
information
systems employing
inprocedures
the definition
of themeasures,
reconfiguration
operates differently,
deceptive
alternate
capability,
the address
potential
need that
for
rapid
response
While
manyconsidering
organizations
threat
incidents
as in
information
flows,
or operating
in ainsider
mode
is reserved
order
to
effectively
address
sophisticated
cyber
threats.
an
inherent
partsystems
of their organizational
incident response
solely
for when
are under attack.
capability,
this
control
enhancement
provides
additional
Incident handling for insider threat incidents (including
emphasis
on
this
type
of
threat
and
the
need
for
preparation, detection and analysis, containment,specific
eradication,
incident
handling
capabilities
(as defined within
organizations)
and
recovery)
requires
close
coordination
among
a
variety of
The
coordination
of incident
information
with external
to
provide
appropriate
and timely
responses.
organizational
components
or
elements
to
be
effective.
organizations including, for example, mission/business These
components
or elements include,
forcustomers,
example, and multitiered
partners,
military/coalition
partners,
This
control
enhancement
addresses
the
deployment
mission/business
owners,
information
system
owners,of
human
developers,
can
provide
significant
benefits.
Crossreplacement
or
new
capabilities
in
a
timely
manner
in
response
resources
offices,
procurement
personnel/physical
organizational
coordination
withoffices,
respect
to incident
handling
to
security
incidents
(e.g.,
adversary
actions
during
hostile
Organizations
involved
in supply
chain and
activities
include,
for
security
offices,
operations
personnel,
risk
executive
can
serve
as an
important
risk
management
capability.
This
cyber
attacks).
This
includes
capabilities
implemented
at
the
example,
system/product
developers,
integrators,
(function).
In
addition,
organizations
may
require
external
capability
allows organizations
to
leverage
critical
information
mission/business
process
level
(e.g.,
activating
alternative
manufacturers,
assemblers,
distributors,
vendors,
support
from federal,
state,
and
local
law
enforcement
Documenting
information
system
security
incidents
includes,
from
a variety
ofpackagers,
sources
to
effectively
respond
to information
mission/business
processes)
and
at
the
information
system
and
resellers.
Supply
chain
incidents
include,
for
example,
agencies.
for
example, maintaining
about
each incident,
the
security-related
incidents records
potentially
affecting
the
level.
involving
information
system
status
of
the
incident,
and
other
pertinent
information
organizations
operations,
assets,
and
individuals.
Automated
mechanisms for
tracking security
incidents
and
components,
technology
products,
development
necessary
for information
forensics,
evaluating
incident
details,
trends,
and
collecting/analyzing
incident
information
include,
for
example,
processes
or personnel,
and distribution
processes
ora variety
handling.
Incident
information
can
be
obtained
from
the
Einstein
monitoring
deviceboth
andspecific
monitoring
online
The
intent including,
ofnetwork
this control
is to address
incident
warehousing
facilities.
of
sources
for example,
incident
reports,
incident
Computer
Incident
Response
Centers
(CIRCs)
or
other
reporting
requirements
within an organization
and the formal
response
teams,
auditofmonitoring,
network monitoring,
electronic
databases
incidents.
incident
reporting
requirements
for
federal
agencies
and their
physical access monitoring, and user/administrator reports.
subordinate organizations. Suspected security incidents
include, for example, the receipt of suspicious email
communications that can potentially contain malicious code.
The types of security incidents reported, the content and
timeliness of the reports, and the designated reporting
Organizations involved in supply chain activities include, for

example, system/product developers, integrators,
manufacturers,
packagers,
assemblers,
distributors,
vendors,
Incident response
support resources
provided
by organizations
and
resellers.
Supply
chain
incidents
include,
for
example,
include, for example, help desks, assistance groups, and access
involving
information system
to
forensics mechanisms
services, when
required.
Automated
provide a
push and/or
pull
components,
informationcan
technology
products,
development
capability
for
users
to
obtain
incident
response
assistance.
For
processes or personnel, and distribution processes or
example,
individuals
might
have
access
to
a
website
to
query
External
providers
of information
system
protection
capability
warehousing
facilities.
Organizations
determine
the appropriate
the
assistance
capability,
or
conversely,
the
assistance
include,
for example,
the Computer
Defense
program
information
to share considering
theNetwork
value gained
from
support
capability
have the ability
to proactively
send
information
within
the may
U.S.
Department
of Defense.
External
providers
by external
organizations
with
the
potential
for
harm
due tohelp
to
users
(general
distribution
or targeted)
as part
of increasingof
to
protect,
monitor,
analyze,
detect,
and
respond
to
sensitive
information
being released
to outside
organizations
understanding
of
current
response
capabilities
and
support.
unauthorized
activity within
systems
perhaps questionable
trustworthiness.
and networks.
It is important that organizations develop and implement a
coordinated approach to incident response. Organizational
missions, business functions, strategies, goals, and objectives
for incident response help to determine the structure of
incident response capabilities. As part of a comprehensive
incident response capability, organizations consider the
coordination and sharing of information with external
organizations, including, for example, external service
providers and organizations involved in the supply chain for
organizational information systems.
Information spillage refers to instances where either classified

or sensitive information is inadvertently placed on information
systems that are not authorized to process such information.
Such information spills often occur when information that is
initially thought to be of lower sensitivity is transmitted to an
information system and then is subsequently determined to be
of higher sensitivity. At that point, corrective action is required.
The nature of the organizational response is generally based
upon the degree of sensitivity of the spilled information (e.g.,
security category or classification level), the security
capabilities of the information system, the specific nature of
contaminated storage media, and the access authorizations
(e.g., security clearances) of individuals with authorized access
to the contaminated system. The methods used to
communicate information about the spill after the fact do not
involve methods directly associated with the actual spill to
minimize the risk of further spreading the contamination before
such contamination is isolated and eradicated.
Correction actions for information systems contaminated due to

information spillages may be very time-consuming. During
those
periods,
personnel
mayfor
not
have access
to the
Security
safeguards
include,
example,
making
personnel
contaminated
systems,
which
may
potentially
affect
their
exposed to spilled information aware of the federal laws,
ability
to conduct
organizational
business.
directives,
policies,
and/or
Having an integrated
teamregulations
for incidentregarding
response the
facilitates
information
and
the
restrictions
imposed
based
on exposure to
information sharing. Such capability allows
organizational
such
information.
personnel,
developers,
implementers,
and
operators,
This controlincluding
addresses
the establishment
of policy
and
to
leverage
the
team
knowledge
of
the
threat
in
order
to
implement
defensive
measures
that will enable
organizations
security controls
and control
enhancements
in the
MA family.
to
deter
intrusions
more
effectively.
Moreover,
it
promotes
the
Policy and procedures reflect applicable federal laws,
Executive
rapid
detection
of
intrusions,
development
of
appropriate
mitigations,
and theprogram
deployment
of effective
defensive
guidance. Security
policies
and procedures
at the
measures.
For
example,
when
an
intrusion
is
detected,
the
integrated
security
analysis
team
can
rapidly
develop
an
appropriate
response
operators
to implement,
correlate
the
included as part
of thefor
general
information
security
policy for
new
incident
with
information
on
past
intrusions,
and
augment
ongoing
intelligence
This
the team to
policies reflecting
thedevelopment.
complex nature
ofenables
certain organizations.
identify
adversary
that are linked
to the
operations
tempo
The procedures
canTTPs
be established
for the
security
program
in
or
to
specific
missions/business
functions,
and
to
define
responsive
actions
in a way that does
not is
disrupt
organizational
risk management
strategy
a key the
factor in
mission/business
operations.
Ideally,
information
security
analysis teams are distributed within organizations to make the
capability more resilient.
This control addresses the information security aspects of the

information system maintenance program and applies to all
types of maintenance to any system component (including
applications) conducted by any local or nonlocal entity (e.g., incontract, warranty, in-house, software maintenance
agreement). System maintenance also includes those
components not directly associated with information processing
and/or data/information retention such as scanners, copiers,
and printers. Information necessary for creating effective
maintenance records includes, for example: (i) date and time of
maintenance; (ii) name of individuals or group performing the
maintenance; (iii) name of escort, if necessary; (iv) a
description of the maintenance performed; and (v) information
system components/equipment removed or replaced (including
identification numbers, if applicable). The level of detail
included in maintenance records can be informed by the
security categories of organizational information systems.
Organizations consider supply chain issues associated with
replacement components for information systems.
This control addresses security-related issues associated with

maintenance tools used specifically for diagnostic and repair
actions
organizational
information
systems.
Maintenance
If, upon on
inspection
of maintenance
tools,
organizations
tools
can
include
hardware,
software,
and
firmware
determine that the tools have been modified in an items.
Maintenance
tools are potential
vehicles
for
transporting
improper/unauthorized
manner
or
contain
malicious
code,
the
If,
upon inspection
of media
containing
maintenance
diagnostic
malicious
code,
either
intentionally
or
unintentionally,
intoand
a
incident
is
handled
consistent
with
organizational
policies
and
test
programs,
organizations
determine
that
the
media
facility
and subsequently
into organizational information
procedures
for incident
handling.
contain
code,tools
theincludes
incident
is handled
consistent
with
Organizational
information
all
information
specifically
systems.malicious
Maintenance
can include,
for example,
organizational
incident
handling
policies
and
procedures.
owned
by organizations
and information
provided
hardware/software
diagnostic
test equipment
and to
organizations
in which
organizations
serve
as information
hardware/software
packet
sniffers. This
control
does not cover
stewards.
hardware/software components that may support information
system maintenance, yet are a part of the system, for example,
the software implementing ping, ls,
ipconfig, or the hardware and software implementing
the monitoring port of an Ethernet switch.
This control enhancement applies to information systems that

are used to carry out maintenance functions.
Nonlocal maintenance and diagnostic activities are those
activities conducted by individuals communicating through a
network, either an external network (e.g., the Internet) or an
internal network. Local maintenance and diagnostic activities
are those activities carried out by individuals physically present
at the information system or information system component
and not communicating across a network connection.
Authentication techniques used in the establishment of
nonlocal maintenance and diagnostic sessions reflect the
network access requirements in IA-2. Typically, strong
Comparable security capability on information systems,

diagnostic tools, and equipment providing maintenance
services implies that the implemented security controls on
those systems, tools, and equipment are at least as
comprehensive as the controls on the information system being
serviced.
Notification may be performed by maintenance personnel.

Approval of nonlocal maintenance sessions is accomplished by
organizational personnel with sufficient information security
and information system knowledge to determine the
appropriateness of the proposed maintenance.
Remote disconnect verification ensures that remote

connections from nonlocal maintenance sessions have been
terminated
are no
longer available
for use.
This control and
applies
to individuals
performing
hardware or
software maintenance on organizational information systems,
while PE-2 addresses physical access for individuals whose
maintenance duties place them within the physical protection
perimeter of the systems (e.g., custodial staff, physical plant
maintenance personnel). Technical competence of supervising
individuals relates to the maintenance performed on the
information systems while having required access
This control enhancement denies individuals who lack

appropriate security clearances (i.e., individuals who do not
possess security clearances or possess security clearances at a
lower level than required) or who are not U.S. citizens, visual
and electronic access to any classified information, Controlled
Unclassified Information (CUI), or any other sensitive
information contained on organizational information systems.
Procedures for the use of maintenance personnel can be
documented in security plans for the information systems.
Personnel performing maintenance activities in other capacities

not directly related to the information system include, for
example,
physical
plant
andsystem
janitorial
personnel.that
Organizations
specify
thepersonnel
information
components
result in increased risk to organizational operations and assets,
individuals,
other organizations,
the Nation
when
Preventive maintenance
includesorproactive
care
andthe
servicing
functionality
provided
by
those
components
is
not
operational.
of organizational information systems components for the
Organizational
actions to
obtain maintenance
support
typically
purpose
ofmaintenance,
maintaining
equipment
and facilities
in satisfactory
Predictive
or condition-based
maintenance,
include
having
appropriate
contracts
in
place.
operating
condition.
maintenance
provides for
the
attempts to
evaluateSuch
the condition
of equipment
by performing
systematic
inspection,
tests,
measurements,
adjustments,
periodic
or continuous
(online)management
equipment condition
A
computerized
maintenance
maintains a
parts
replacement,
detection,
and maintenance
correctionsystem
of incipient
monitoring.
The
goal
of
predictive
is
to
perform
computer
database
ofthey
information
about
the
maintenance
failures
either
before
occur
or
before
they
develop
into
maintenance
at
a scheduledand
point
in time when
the
operations
ofaddresses
organizations
automates
processing
This
control
the
establishment
of
policy
and
major
defects.
The
primary
goal
of
preventive
maintenance
maintenance
activity data
is most
cost-effective
and
before the is
equipment
condition
in implementation
order
tooftrigger
maintenance
procedures
for
the
effective
of
selected
to
avoid/mitigate
the
consequences
equipment
failures.
equipment
loses performance
within a threshold. The
planning,
execution,
and
reporting.
security
controls
and
control
enhancements
in
the
MPrestore
family.
Preventive
maintenance
is
designed
to
preserve
and
predictive component of predictive maintenance stems
from
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
equipment
reliability
by
replacing
worn
components
before
the goal of predicting the future trend of the equipment's
Orders,
directives,
regulations,
and
they
actually
Methods
of determining
preventive
(or
condition.
Thisfail.
approach
uses
principles
ofwhat
statistical
process
guidance.
Security
program
policies
and
procedures
at
the
other)
failure
management
policies
to
apply
include,
for
control to determine at what point in the future maintenance
organization
level
may make manufacturer
the
for system-specific
example,
original
equipment
(OEM)
activities will
be appropriate.
Mostneed
predictive
maintenance
policies
and
procedures
unnecessary.
The
policy
be
recommendations,
statistical
failure
records,
of
inspections are performed while equipment isrequirements
in can
service,
included
as part ofor
the
generalof
information
security
policy
for
codes,
regulations
within
jurisdiction,
expert
therebylegislation,
minimizing
disruption
normalasystem
operations.
organizations
or
conversely,
can
be
represented
by
multiple
opinion,
maintenance
that
has
already
been
conducted
on
Predictive maintenance can result in substantial cost savings
policies
reflecting
complex
nature
certain
organizations.
similar
equipment,
or measured
valuesofand
performance
and higher
systemthe
reliability.
Predictive
maintenance
tends to
The
procedures
can
be
established
for
the
security
program in
indications.
include measurement of the item. To evaluate equipment
general
and
for particular
information
systems,
if needed. The
condition,
predictive
maintenance
utilizes
nondestructive
organizational
risk management
strategy
is a key
factor in
testing technologies
such as infrared,
acoustic
(partial
establishing
policy
and
procedures.
discharge and airborne ultrasonic), corona detection, vibration
Information system media includes both digital and non-digital

media. Digital media includes, for example, diskettes, magnetic
tapes, external/removable hard disk drives, flash drives,
compact disks, and digital video disks. Non-digital media
includes, for example, paper and microfilm. Restricting nondigital media access includes, for example, denying access to
patient medical records in a community hospital unless the
The
term security
refers
the application/use
of
individuals
seekingmarking
access to
suchtorecords
are authorized
human-readable
security
attributes.
The to
term
security
labeling
healthcare providers.
Restricting
access
digital
media
refers
to the
application/use
of access
security
with regard
includes,
for example,
limiting
toattributes
design specifications
to
internal
data
structures
within
information
systems
(see ACstored on compact disks in the media library to the project
16).
Information
system media
includes
both digital
leader
and the individuals
on the
development
team.and nondigital media. Digital media includes, for example, diskettes,
magnetic tapes, external/removable hard disk drives, flash
Information
system
media
bothdisks.
digitalNon-digital
and non-digital
drives, compact
disks,
and includes
digital video
media.
Digital media
includes,paper
for example,
diskettes,
magnetic
media includes,
for example,
and microfilm.
Security
tapes,
external/removable
hard disk
drives,
marking
is generally not required
for drives,
media flash
containing
compact
disks,
and digital
disks. Non-digital
media
information
determined
byvideo
organizations
to be in the
public
includes,
paper
and microfilm.
Physically
domain orfor
to example,
be publicly
releasable.
However,
some
controlling
information
system
mediafor
includes,
for example,
organizations
may require
markings
public information
conducting
inventories,
ensuring
procedures
are in place
to of
indicating that
the information
is publicly
releasable.
Marking
allow
individuals
to check
and return
media
to thelaws,
media
information
system
media out
reflects
applicable
federal
library,
and
maintaining
accountability
for all stored
media.
Executive
Orders,
directives,
policies, regulations,
standards,
Secure
storage
includes,
for
example,
a
locked
drawer,
desk,
and
guidance.
Automated mechanisms can include, for example, keypads
onor
cabinet,
or a entries
controlled
mediastorage
library. areas.
The type of media
the external
to media
storage is commensurate with the security category and/or
Information
media includes
both on
digital
and non-digital
classificationsystem
of the information
residing
the media.
media.
Digital
media
includes,
for
example,
diskettes,
magnetic
Controlled areas are areas for which organizations provide
tapes,
external/removable
hard
disk
drives,
flash
drives,
sufficient physical and procedural safeguards to meet the
compact
disks,established
and digitalfor
video
disks. Non-digital
media
requirements
protecting
information
and/or
includes,
forsystems.
example,For
paper
andcontaining
microfilm.information
This control also
information
media
applies
to mobile
devices withtoinformation
storage
capability
determined
by organizations
be in the public
domain,
to be
(e.g.,
smart
phones,
tablets,
E-readers),
that
are
transported
publicly releasable, or to have limited or no adverse impact on
outside
of controlled
areas. Controlled
are areas
organizations
or individuals
if accessedareas
by other
than or
spaces
for which
organizations
provide sufficient
physicalIn
authorized
personnel,
fewer safeguards
may be needed.
and/or
procedural
safeguards
to
meet
the
requirements
these situations, physical access controls provide adequate
established
protection. for protecting information and/or information
systems. Physical and technical safeguards for media are
commensurate with the security category or classification of
the information residing on the media. Safeguards to protect
media during transport include, for example, locked containers
and cryptography. Cryptographic mechanisms can provide
confidentiality
and integrity
depending
upon points
the
Identified custodians
provideprotections
organizations
with specific
mechanisms
used.the
Activities
associated
with transport
include
of contact during
media transport
process
and facilitate
the
actual
transport
as
well
as
those
activities
such
as
releasing
individual accountability. Custodial responsibilities can be
media
for transport
ensuring
media
transferred
from oneand
individual
to that
another
as enters
long asthe
an
appropriate
transport
processes.
For
the
actual
unambiguous custodian is identified at all times.transport,
authorized transport and courier personnel may include
individuals from outside the organization (e.g., U.S. Postal
Service or a commercial transport or delivery service).
This control enhancement applies to both portable storage

devices (e.g., USB memory sticks, compact disks, digital video
disks,
external/removable
hard disk drives)
and
mobile
devices
This control
applies to all information
system
media,
both
with
storage
capability subject
(e.g., smart
phones,
E-readers).
digital
and non-digital,
to disposal
ortablets,
reuse, whether
or
not the media is considered removable. Examples include
media found in scanners, copiers, printers, notebook
computers, workstations, network components, and mobile
devices. The sanitization process removes information from the
media such that the information cannot be retrieved or
Organizations
and approve
media
to be sanitized
to
reconstructed.review
Sanitization
techniques,
including
clearing,
ensure
witherase,
records-retention
policies.
purging,compliance
cryptographic
and destruction,
prevent the
Tracking/documenting
actions
include,
forindividuals
example,
listing
disclosure
of information
to unauthorized
when
Testing of sanitization
equipment
and procedures
may
be such
personnel
who
reviewed
and
approved
sanitization
and
media
is reused
or released
for disposal.
Organizations
conducted
by qualified
and authorized
external
entities (e.g.,
disposal
actions,
types
of
media
sanitized,
specific
files stored
determine
the
appropriate
sanitization
methods
recognizing
other
federal
agencies
or
external
service
providers).
This
control
enhancement
applies
toused,
digital
media
on
media,
sanitization
methods
date
andcontaining
time
of the
thatthe
destruction
is sometimes
necessary
when
other
methods
classified
and Controlled
Unclassified
sanitization
actions,
who performed
theInformation
sanitization,
cannot beinformation
applied
topersonnel
media
requiring
sanitization.
(CUI).
Portable
storage
devices
theperformed
sourceof
ofapproved
malicious
verification
actions
taken,
personnel
who
the
Organizations
use
discretion
oncan
the be
employment
code
insertions
into
organizational
information
systems.
Many
verification,
and disposal
action
taken. Organizations
verify
that
sanitization techniques
and
procedures
for media containing
of
these
devices
are
obtained
from
unknown
and
the
sanitization
of
the
was
effective
prior
topotentially
disposal.
information
deemed
tomedia
be in the
public
domain
or
publicly
untrustworthy
sources and
mayno
contain
malicious
code that
releasable, or deemed
to have
adverse
impact on
can
be
readily
transferred
to
information
systems
through
USB
organizations or individuals if released for reuse or disposal.
ports
or
other
entry
portals.
While
scanning
such
storage
Sanitization of non-digital media includes, for example,
devices
is aalways
recommended,
sanitization
provides
removing
classified
appendix from
an otherwise
unclassified
additional
assurance
that
the
devices
are
free
of malicious
Organizations
employ dual
authorization
that a
document, or redacting
selected
sectionsto
orensure
words
from
code
to include
codemedia
capable
of initiating
zero-day
information
cannot
occurattacks.
unless
document
bysystem
obscuring
thesanitization
redacted
sections/words
in a two
Organizations
consider
nondestructive
sanitization
of portable
technically
qualified
individuals
conduct
the
task.
Individuals
manner
equivalent
in
effectiveness
to
removing
them
the
This
control
enhancement
protects
data/information
onfrom
storage
devices
when
such
devices
are
first
purchased
from
the
sanitizing
information
system
media
possess
sufficient
document.
NSAinformation
standards and
policies
control
the sanitization
organizational
systems,
system
components,
or
manufacturer
or
vendor
prior
to
initial
use
or
when
skills/expertise
to determine
ifclassified
proposed
sanitization
process
for media
containing
information.
devices
(e.g.,
mobile
devices)
ifthe
such
systems,
components,
Information
system
media
includes
both
digital
and
organizations
lose a
positive
chain
of
custody
for
thenon-digital
devices.or
reflects
applicable
federal/organizational
standards,
policies,
devices
are
obtained
by
unauthorized
individuals.
Remote
media.
Digital media
for example,
diskettes,
magnetic
and
procedures.
Dual includes,
authorization
also
helps
to ensure
purge/wipe
commands
require
strong
authentication
to that
tapes,
external/removable
hard
disk
drives,
flash
drives,
Requiring
identifiable
owners
(e.g.,
individuals,
organizations,
sanitization
occurs
intended,
both
protecting
against errors
mitigate
the
riskand
of as
unauthorized
individuals
purging/wiping
the
compact
disks,
digital
video
disks.
Non-digital
media
or
projects)
for
portable
storage
devices
reduces
the
risk
of
and
false
claims
of
having
performed
the
sanitization
actions.
system/component/device.
The
purge/wipe
function
can also
be
includes,
fortechnologies
example,
and
microfilm.
This control
using
such
by
allowing
organizations
to assign
Dual
authorization
maypaper
also
be
known
as two-person
control.
Sanitization-resistance
applies
to
the
capability
to
purge
implemented
in
a
variety
of
ways
including,
for
example,
by
applies
to mobile
devices
with information
storage
capability
responsibility
andmedia.
accountability
for addressing
known
information
from
Certain
types
of
media
do
not
support
overwriting
data/information
multiple
times
or
by
destroying
(e.g.,
smart phones,
tablets,
E-readers).
In contrast
to MP-2,
vulnerabilities
in the
devices
(e.g., malicious
code insertion).
sanitize
commands,
or
if supported,
interfaces
are
notthe
the
key
necessary
decrypt
data.
This
control
applies
all
information
system
media,
digital
and
which
restricts
usertoto
access
to encrypted
media,the
this
control
restricts
supported
in
a
standardized
way
across
these
devices.
non-digital,
subject
outside
of the organization,
use of certain
typesto
of release
media on
information
systems, for
Sanitization-resistant
media
include,
for removable.
example,
compact
whether
not the media
is considered
Theor
example,or
restricting/prohibiting
the use
of
flash drives
flash,
embedded
flash
on
boards
and
devices,
solid
state
downgrading
when
applied to system
media,
removes
external hard process,
disk drives.
Organizations
can employ
technical
drives,
and USB
information
fromremovable
the
media,media.
typically
by security
category
or of
and nontechnical
safeguards
(e.g., policies,
procedures,
rules
classification
level, such
thatofthe
information
cannot
be
behavior) to restrict
the use
information
system
media.
retrieved
or reconstructed.
Downgrading
of media
includes
Organizations
may restrict the
use of portable
storage
devices,
redacting
information
enablecages
wideron
release
and distribution.
for example,
by using to
physical
workstations
to
Downgrading
ofto
media
also
ensures
that or
empty
space on the
prohibit access
certain
external
ports,
disabling/removing
media
(e.g.,
space
files)
is devoid
of information.
the ability
toslack
insert,
read within
or write
to such
devices.
Organizations may also limit the use of portable storage
devices to only approved devices including, for example,
Organizations
canby
document
the media
downgrading
process
devices provided
the organization,
devices
provided
by
by
providing
information
such
as
the
downgrading
technique
other approved organizations, and devices that are not
employed,
the identification
number of the
downgraded
personally owned.
Finally, organizations
may
restrict the media,
use of
and
the
identity
of
the
individual
that
authorized
and/or
portable storage devices based on the type of device,
for
performed
the downgrading
example, prohibiting
the useaction.
of writeable, portable storage
devices, and implementing this restriction by disabling or
removing the capability to write to such devices.
Downgrading of classified information uses approved

sanitization tools, techniques, and procedures to transfer
information
unclassified from
classified
This control confirmed
addresses to
thebe
establishment
of policy
and
information
systems
to
unclassified
media.
security controls and control enhancements in the PE family.
This control applies to organizational employees and visitors.
Individuals (e.g., employees, contractors, and others) with
permanent physical access authorization credentials are not
considered visitors. Authorization credentials include, for
example, badges, identification cards, and smart cards.
Organizations determine the strength of authorization
credentials needed (including level of forge-proof badges,
smart cards, or identification cards) consistent with federal
standards, policies, and procedures. This control only applies to
areas within facilities that have not been designated as publicly
accessible.
Acceptable forms of government photo identification include,

for example, passports, Personal Identity Verification (PIV)
cards,
licenses.
In the
case of gaining
access to
Due toand
the drivers
highly sensitive
nature
of classified
information
facilities
using
automated
mechanisms,
organizations
may use
stored within certain facilities, it is important that individuals
PIV
cards,
key
cards,
PINs,
and
biometrics.
lacking
sufficient
security
clearances,employees
access approvals,
or
This control
applies
to organizational
and visitors.
need
to
know,
be
escorted
by
individuals
with
appropriate
Individuals (e.g., employees, contractors, and others) with
credentials
to ensureaccess
that such
information
is not exposed
or
permanent physical
authorization
credentials
are not
otherwise
compromised.
considered visitors. Organizations determine the types of
facility guards needed including, for example, professional
physical security staff or other personnel such as
administrative staff or information system users. Physical
access devices include, for example, keys, locks, combinations,
and card readers. Safeguards for publicly accessible areas
within organizational facilities include, for example, cameras,
monitoring by guards, and isolating selected information
systems and/or system components in secured areas. Physical
access control systems comply with applicable federal laws,
Executive Orders, directives, policies, regulations, standards,
and guidance. The Federal Identity, Credential, and Access
Management Program provides implementation guidance for
identity, credential, and access management capabilities for
This control enhancement provides additional physical security

for those areas within facilities where there is a concentration
of
information determine
system components
server rooms,
Organizations
the extent,(e.g.,
frequency,
and/or media
storage
areas,
data
and
communications
centers).
randomness of security checks to adequately mitigate risk
associated with exfiltration.
Organizations may implement tamper detection/prevention at

selected hardware components or tamper detection at some
components and tamper prevention at other components.
Tamper detection/prevention activities can employ many types
of anti-tamper technologies including, for example, tamperPhysical
safeguards
applied
to information
system
detectionsecurity
seals and
anti-tamper
coatings.
Anti-tamper
distribution
andtotransmission
lines alterations
help to prevent
accidental
programs help
detect hardware
through
damage,
disruption,
and
physical
tampering.
In
addition,
Controlling
physical
access
to output
devices includes,
for
counterfeiting
and other
supply
chain-related
risks.
physical
may devices
be necessary
to help
prevent
example,safeguards
placing output
in locked
rooms
or other
eavesdropping
or inallowing
transit modification
of unencrypted
secured
areas
and
access
to authorized
individuals
Controlling
physical
access
to
selected
outputphysical
devices
includes,
transmissions.
Security
safeguards
to
control
access
to
only,
and
placing
output
devices
in
locations
that
can
be
for
example,
placing
printers,
copiers,
and
facsimile
machines
system
distribution
and transmission
lines
include,printers,
for
monitored
byareas
organizational
personnel.
Monitors,
in
controlled
with
keypad
access
controls
or limiting
example:
(i)
locked
wiring
closets;
(ii)
disconnected
or locked
copiers,
facsimile
machines,
and
audio devices
are
access
toscanners,
individuals
with
certain
types
of badges.
spare
jacks;
and/or
(iii)
protection
of
cabling
by
conduit
or cable
examples of information system output devices.
trays.
Controlling physical access to selected output devices includes,
for example, installing security functionality on printers,
copiers, and facsimile machines that allows organizations to
implement authentication (e.g., using a PIN or hardware token)
on output devices prior to the release of output to individuals.
Outputs devices include, for example, printers, monitors,
facsimile machines, scanners, copiers, and audio devices. This
control
enhancement
is response
generallycapabilities
applicable to
information
Organizational
incident
include
system
output
devices
other
than
mobiles
devices.
investigations of and responses to detected physical security
incidents. Security incidents include, for example, apparent
security violations or suspicious physical access activities.
Suspicious physical access activities include, for example: (i)
accesses outside of normal work hours; (ii) repeated accesses
to areas not normally accessed; (iii) accesses for unusual
lengths of time; and (iv) out-of-sequence accesses.
This control enhancement focuses on recording surveillance

video for purposes of subsequent review, if circumstances so
warrant
(e.g.,
a break-in detected
other means).
It doesfor
not
This control
enhancement
providesbyadditional
monitoring
require
monitoring
surveillance
video
although
organizations
those areas within facilities where there is a concentration of
may
choose system
to do so.
Note that there
be rooms,
legal media
information
components
(e.g.,may
server
considerations
when
performing
and
retaining
video
storage areas, communications centers).
surveillance, especially if such surveillance is in a public
Visitor
access records include, for example, names and
location.
organizations of persons visiting, visitor signatures, forms of
identification, dates of access, entry and departure times,
purposes of visits, and names and organizations of persons
visited. Visitor access records are not required for publicly
accessible areas.
Organizations determine the types of protection necessary for

power equipment and cabling employed at different locations
both
internal
and external
to organizational
and
Physically
separate,
redundant
power cablesfacilities
help to ensure
environments
of
operation.
This
includes,
for
example,
that power continues to flow in the event one of the cables is
generators
and power
cabling outside of buildings, internal
cut or otherwise
damaged.
cabling and uninterruptable power sources within an office or
data center, and power sources for self-contained entities such
This
control and
applies
primarily to facilities containing
as vehicles
satellites.
concentrations of information system resources including, for
example, data centers, server rooms, and mainframe computer
rooms.
This control enhancement can be satisfied, for example, by the

use of a secondary commercial power supply or other external
power supply. Long-term alternate power supplies for the
information system can be either manually or automatically
activated.
This control enhancement can be satisfied, for example, by the

use of one or more generators with sufficient capacity to meet
the needs of the organization. Long-term alternate power
supplies for organizational information systems are either
manually or automatically activated.
This control applies primarily to facilities containing

example, data centers, server rooms, and mainframe computer
rooms.
example,
data can
centers,
server
rooms,
and mainframe
computer
Organizations
identify
specific
personnel,
roles, and
rooms.
Fire
suppression
and
detection
devices/systems
include,
emergency responders in the event that individuals on the
for
example,list
sprinkler
systems,
handheld
fire extinguishers,
notification
must
have
appropriate
access
authorizations
Organizations
can
identify
specific
personnel,
roles,
and
fixed
fire
hoses,
and
smoke
detectors.
and/or
clearances,
for
example,
to
obtain
access
to facilities
emergency responders in the event that individuals
on the
where
classified
operations
are taking place
where there are
notification
list must
have appropriate
accessorauthorizations
information
systems
information.
and/or clearances,
forcontaining
example, classified
to obtain access
to facilities
where classified operations are taking place or where there are
information systems containing classified information.
concentrations of information system resources, for example,
data centers, server rooms, and mainframe computer rooms.

example,
data
centers, server
rooms, for
andexample,
mainframe
computer
Automated
mechanisms
can include,
water
rooms.
Isolation
valves
can
be
employed
in
addition
to
or in
detection sensors, alarms, and notification systems.
lieu of master shutoff valves to shut off water supplies in
Effectively
enforcing
authorizations
for entry
and exit of
specific areas
of concern,
without affecting
entire
information
system
components
may
require
restricting access
organizations.
to
delivery
areas
and
possibly
isolating
the
areas
from the
Alternate work sites may include, for example, government
information
system
and
media
libraries.
facilities or private residences of employees. While commonly
distinct from alternative processing sites, alternate work sites
may provide readily available alternate locations as part of
contingency operations. Organizations may define different
sets of security controls for specific alternate work sites or
types of sites depending on the work-related activities
conducted at those sites. This control supports the contingency
planning activities of organizations and the federal telework
initiative.
Physical and environmental hazards include, for example,

flooding, fire, tornados, earthquakes, hurricanes, acts of
terrorism, vandalism, electromagnetic pulse, electrical
interference, and other forms of incoming electromagnetic
radiation. In addition, organizations consider the location of
Information
leakage
the intentional
or unintentional
release
physical entry
pointsiswhere
unauthorized
individuals, while
not
of
information
to
an
untrusted
environment
from
being granted access, might nonetheless be in close proximity
electromagnetic
signalsand
emanations.
or for
to information systems
therefore Security
increasecategories
the potential
classifications
of
information
systems
(with
respect
to
unauthorized access to organizational communications (e.g.,
confidentiality)
and
organizational
security
policies guide the
through
the use
of wireless
sniffers
microphones).
Asset
location
technologies
helpororganizations
ensure that
selection
of security
controlscan
employed
to protect systems
critical
such as
vehicles
orto
essential
information
system
againstassets
information
leakage
due
electromagnetic
signals
components
remain
in
authorized
locations.
Organizations
emanations.
consult with the Office of the General Counsel and the Senior
Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO)
regarding the deployment and use of asset location
technologies to address potential privacy concerns.
security controls and control enhancements in the PL family.
Security plans relate security requirements to a set of security
controls and control enhancements. Security plans also
describe, at a high level, how the security controls and control
enhancements meet those security requirements, but do not
provide detailed, technical descriptions of the specific design or
implementation of the controls/enhancements. Security plans
contain sufficient information (including the specification of
parameter values for assignment and selection statements
either explicitly or by reference) to enable a design and
implementation that is unambiguously compliant with the
intent of the plans and subsequent determinations of risk to
organizations, and the Nation if the plan is implemented as
intended. Organizations can also apply tailoring guidance to
the security control baselines in Appendix D and CNSS
Instruction 1253 to develop overlays for community-wide use
or to address specialized requirements, technologies, or
missions/environments of operation (e.g., DoD-tactical, Federal
Public Key Infrastructure, or Federal Identity, Credential, and
Access Management, space operations). Appendix I provides
guidance on developing overlays. Security plans need not be
single documents; the plans can be a collection of various
Security-related activities include, for example, security

assessments, audits, hardware and software maintenance,
patch management, and contingency plan testing. Advance
planning and coordination includes emergency and
nonemergency (i.e., planned or nonurgent unplanned)
This
controlThe
enhancement
applies
organizational
users.
situations.
process defined
by to
organizations
to plan
and
Organizations
consider
rules
of
behavior
based
on
individual
coordinate security-related activities can be included in
user
roles
and for
responsibilities,
differentiating,
example, as
security
plans
information systems
or otherfor
documents,
between
rules
that
apply
to
privileged
users
and
rules
that
appropriate.
apply to general users. Establishing rules of behavior for some
types of non-organizational users including, for example,
individuals who simply receive data/information from federal
information systems, is often not feasible given the large
number of such users and the limited nature of their
interactions with the systems. Rules of behavior for both
organizational and non-organizational users can also be
established in AC-8, System Use Notification. PL-4 b. (the
This
control
enhancement
addresses
rules
of behavior
signed
acknowledgment
portion
of this
control)
may berelated
to
the use
social
media/networking
sites: and
(i) when
satisfied
byofthe
security
awareness training
role-based
organizational
personnel
are
using
such
sites
for officialifduties
security training programs conducted by organizations
such
or
in theincludes
conduct rules
of official
business;
(ii) when organizational
training
of behavior.
Organizations
can use
information
is involved
social media/networking
transactions;
electronic signatures
forinacknowledging
rules of behavior.
and (iii) when personnel are accessing social media/networking
sites from organizational information systems. Organizations
The
may that
be included
the securityentities
plan for
also security
address CONOPS
specific rules
prevent in
unauthorized
the
systeminferring
or in other
system organizational
development life
frominformation
obtaining and/or
non-public
cycle-related
documents,
as appropriate.
Changes
to the
information (e.g.,
system account
information,
personally
CONOPS
are
reflected
in
ongoing
updates
to
the
security
plan,
identifiable information) from social media/networking sites.
the information security architecture, and other appropriate
organizational documents (e.g., security specifications for
procurements/acquisitions, system development life cycle
documents, and systems/security engineering documents).
This control addresses actions taken by organizations in the

design and development of information systems. The
information security architecture at the individual information
system level is consistent with and complements the more
global, organization-wide information security architecture
described in PM-7 that is integral to and developed as part of
the enterprise architecture. The information security
architecture includes an architectural description, the
placement/allocation of security functionality (including
security controls), security-related information for external
interfaces, information being exchanged across the interfaces,
and the protection mechanisms associated with each interface.
In addition, the security architecture can include other
important security-related information, for example, user roles
and access privileges assigned to each role, unique security
requirements, the types of information processed, stored, and
transmitted
bystrategically
the information
system,
restoration
priorities of
Organizations
allocate
security
safeguards
information
and
information
system
services,
and
any
otherso
(procedural, technical, or both) in the security architecture
specific
protection
needs.
In
todays
modern
architecture,
it
that adversaries have to overcome multiple safeguards to
is becoming
common
for organizations
to to
control
all
achieve
theirless
objective.
Requiring
adversaries
defeat
information
resources.
There
are
going
to
be
key
dependencies
multiple mechanisms makes it more difficult to successfully
on
external
information
services
and(i.e.,
service
providers.
attack
critical
information
resources
increases
adversary
Describing
such
dependencies
in
the
information
security The
work factor) and also increases the likelihood of detection.
architecture
is
to
developing
a comprehensive
Different
information
technology
products
have different
coordination
ofimportant
allocated
safeguards
is essential
to ensure that
mission/business
protection
strategy.
Establishing,
developing,
strengths
and weaknesses.
broad
spectrum
of
an attack that
involves one Providing
safeguardadoes
not
create
adverse
documenting,
and
maintaining
under
configuration
control,
a
products
complements
the
individual
offerings.
For
example,
unintended
consequences
(e.g.,
lockout,
cascading
alarms)
by
Central
management
refers
to the organization-wide
baseline
configuration
for
organizational
information
systems
is
vendors
offering
malicious
code
protection
typically
update
interfering
with
another
safeguard.
Placement
of
security
management
and implementation
of selected
security controls
critical
to
implementing
and
maintaining
an
effective
their
products
different
times,
often
developing
solutions
for
safeguards
is
aatkey
activity.
Greater
asset
criticality
orplanning,
and
related
processes.
Central
management
includes
This
control
addresses
the
establishment
of
policy
and
information
security
architecture.
The
development
of
the
known
viruses,
Trojans,
or
worms
according
to
their
priorities
information value
merits additional
layering.
Thus, an the
implementing,
assessing,
authorizing,
and monitoring
procedures
for
the
effective
implementation
of selected
information
security
architecture
isanti-virus
coordinated
with
the
and
development
schedules.
By
having
different
products
at
organization
may
choose
to
place
software
at Senior
organization-defined,
centrally
managedPrivacy
security
controls
and
security
controls
and
control
enhancements
in
the
PS
family.
Agency
Official
for
Privacy
(SAOP)/Chief
Officer
(CPO)
to
different
locations
(e.g.,
server,
boundary,
desktop)
there
is
an
organizational
boundary
layers,
email/web
servers,
notebook
processes.
As
centralcontrols
management
ofto
security
controls
is
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
ensure
that
security
needed
support
privacy
increased
likelihood
that
least
one
will detect
the
malicious
computers,
and workstations
to maximize
the
number
of
generally
associated
withat
common
controls,
such
management
Orders,
directives,
regulations,
standards,
and PL-8
requirements
are identified
andpolicies,
effectively
implemented.
code.
related
safeguards
adversaries
must
penetrate
before
promotes
and
facilitates
standardization
ofinternally
security control
guidance.
Security
program
policies
and
at the
is
primarily
directed
at organizations
(i.e.,procedures
focused)
to
compromising
the
information
and
information
systems.
implementations
and
management
and
judicious
use
organization
levelorganizations
may make the
need for
help ensure that
develop
an system-specific
informationofsecurity
organizational
Centrally-managed
security
controls
policies
and procedures
unnecessary.
The
policy
can
architecture
forresources.
the information
system,
and
that
thebe
security
and
processes
may
also
meet
independence
requirements
for
included
as part
of the general
information
security
policy for
architecture
is integrated
with or
tightly coupled
to the
assessments
in
support
of
initial
and
ongoing
authorizations
organizations
or conversely,
canthe
be organization-wide
represented by multiple to
enterprise architecture
through
operate
as
part
of
organizational
continuous
monitoring.
As
policies
reflecting
thearchitecture.
complex nature
of certain
organizations.
information
security
In contrast,
SA-17
is primarily
part
of the
selection
process,
organizations
The
procedures
can control
be established
for
the security
program in
directed
at security
external
information
technology
product/system
determine
which
controls
may
be
suitable
for
central
general
andand
for particular
systems,
if needed.
developers
integratorsinformation
(although SA-17
could
be used The
management
based
on organizational
resources
organizational
risk
management
issystem
a keyand
factor in
internally within
organizations
forstrategy
in-house
capabilities.
Organizations
consider
that
it
may
not
always
establishing
policy
and
procedures.
development). SA-17, which is complementary to PL-8,
is be
possible
centrally
manage outsource
every aspect
a security control.
selected to
when
organizations
the of
development
of
In
such
cases,
the
security
control
is
treated
as
a hybrid control
information
systems
or
information
system
components
to
Position
designations
reflect
Office of Personnel
with
the risk
control
managed
and
either centrally or
external
entities,
and
there
is aimplemented
need
to designations
demonstrate/show
Management
policy
and
guidance.
Risk
can guide
at
the
information
system
level.
Controls
and
control
consistency
with
the organizations
enterprise
architecture
and
inform
the
types
of
authorizations
individuals
receive
when
enhancements
that
are candidates
for full or partial central
and information
security
architecture.
accessing
organizational
information
and
information
systems.
management include, but are not limited to: AC-2 (1) (2) (3)
Position
screening
criteria
include
security
(4); AC-17
(1) (2) (3)
(9); AC-18
(1)explicit
(3) (4) information
(5); AC-19 (4);
AC-22;
role
appointment
requirements
(e.g.,
training,
security
AC-23; AT-2 (1) (2); AT-3 (1) (2) (3); AT-4; AU-6 (1) (3) (5) (6) (9);
clearances).
AU-7 (1) (2); AU-11, AU-13, AU-16, CA-2 (1) (2) (3); CA-3 (1) (2)
(3); CA-7 (1); CA-9; CM-2 (1) (2); CM-3 (1) (4); CM-4; CM-6 (1);
CM-7 (4) (5); CM-8 (all); CM-9 (1); CM-10; CM-11; CP-7 (all); CP8 (all); SC-43; SI-2; SI-3; SI-7; and SI-8.
Personnel screening and rescreening activities reflect

applicable federal laws, Executive Orders, directives,
regulations, policies, standards, guidance, and specific criteria
established for the risk designations of assigned positions.
Organizations may define different rescreening conditions and
frequencies for personnel accessing information systems based
on types of information processed, stored, or transmitted by
the systems.
Types of classified information requiring formal indoctrination
include, for example, Special Access Program (SAP), Restricted
Data
(RD), and information
Sensitive Compartment
Information
(SCI).
Organizational
requiring special
protection
includes, for example, Controlled Unclassified Information (CUI)
and Sources and Methods Information (SAMI). Personnel
security criteria include, for example, position sensitivity
background screening requirements.
Information system-related property includes, for example,
hardware authentication tokens, system administration
technical manuals, keys, identification cards, and building
passes. Exit interviews ensure that terminated individuals
understand the security constraints imposed by being former
employees and that proper accountability is achieved for
information system-related property. Security topics of interest
at exit interviews can include, for example, reminding
terminated individuals of nondisclosure agreements and
potential limitations on future employment. Exit interviews may
not be possible for some terminated individuals, for example,
in cases related to job abandonment, illnesses, and
nonavailability of supervisors. Exit interviews are important for
individuals with security clearances. Timely execution of
termination actions is essential for individuals terminated for
cause. In certain situations, organizations consider disabling
the
informationconsult
systemwith
accounts
of individuals
that are
being
Organizations
the Office
of the General
Counsel
terminated
prior toofthe
individuals beingrequirements
notified.
regarding matters
post-employment
on
terminated individuals.
In organizations with a large number of employees, not all

personnel who need to know about termination actions receive
the
notificationsor,
if suchornotifications
Thisappropriate
control applies
when reassignments
transfers ofare
received,
they
may
not
occur
in
a
timely
manner.
Automated
individuals are permanent or of such extended durations
as to
mechanisms
can be
used to send
automaticdefine
alerts actions
or
make the actions
warranted.
Organizations
notifications
to specific
organizational
personnel
or roles (e.g.,
appropriate for
the types
of reassignments
or transfers,
management
personnel,
supervisors,
personnel
security
whether permanent or extended. Actions that may be required
officers,
information
security
officers, systems
administrators,
for personnel
transfers
or reassignments
to other
positions
or
information
technology
administrators)
when
individuals
are
within organizations include, for example: (i) returning old and
terminated.
Such
automatic
alerts
or
notifications
can
be
issuing new keys, identification cards, and building passes; (ii)
Access agreements include, for example, nondisclosure

agreements, acceptable use agreements, rules of behavior,
and conflict-of-interest agreements. Signed access agreements
include an acknowledgement that individuals have read,
understand, and agree to abide by the constraints associated
with organizational information systems to which access is
authorized. Organizations can use electronic signatures to
acknowledge access agreements unless specifically prohibited
by organizational policy.
Classified information requiring special protection includes, for

example, collateral information, Special Access Program (SAP)
information, and Sensitive Compartmented Information (SCI).
Personnel security criteria reflect applicable federal laws,
Executive Orders, directives, regulations, policies, standards,
and guidance.
Organizations consult with the Office of the General Counsel

regarding matters of post-employment requirements on
terminated individuals.
Third-party providers include, for example, service bureaus,

contractors, and other organizations providing information
system development, information technology services,
outsourced applications, and network and security
management. Organizations explicitly include personnel
security requirements in acquisition-related documents. Thirdparty providers may have personnel working at organizational
facilities with credentials, badges, or information system
privileges issued by organizations. Notifications of third-party
personnel changes ensure appropriate termination of privileges
and credentials. Organizations define the transfers and
terminations deemed reportable by security-related
characteristics that include, for example, functions, roles, and
nature of credentials/privileges associated with individuals
transferred or terminated.
Organizational sanctions processes reflect applicable federal

laws, Executive Orders, directives, regulations, policies,
standards, and guidance. Sanctions processes are described in
access agreements and can be included as part of general
personnel policies and procedures for organizations.
Organizations consult with the Office of the General Counsel
regarding matters of employee sanctions.
security controls and control enhancements in the RA family.
Clearly defined authorization boundaries are a prerequisite for
effective security categorization decisions. Security categories
describe the potential adverse impacts to organizational
operations, organizational assets, and individuals if
organizational information and information systems are
comprised through a loss of confidentiality, integrity, or
availability. Organizations conduct the security categorization
process as an organization-wide activity with the involvement
of chief information officers, senior information security
officers,
information
system owners,
mission/business
owners,
Clearly defined
authorization
boundaries
are a prerequisite
for
and
information
owners/stewards.
Organizations
also
consider
effective risk assessments. Risk assessments take into account
the
potential
adverse impacts
to other
organizations
and, in
threats,
vulnerabilities,
likelihood,
and impact
to organizational
accordance
with
the
USA
PATRIOT
Act
of
2001
and
Homeland
operations and assets, individuals, other organizations, and the
Security
Presidential
Directives,and
potential
Nation based
on the operation
use of national-level
adverse
impacts.
Security
categorization
processes
carried out
Risk assessments also take into account risk
from external
by
organizations
facilitate
the
development
of
inventories
of
parties (e.g., service providers, contractors operating
information
assets,
and
along
with
CM-8,
mappings
to
specific
information systems on behalf of the organization, individuals
information
system components
where
information
is
accessing organizational
information
systems,
outsourcing
processed,
stored,
or
transmitted.
entities). In accordance with OMB policy and related Eauthentication initiatives, authentication of public users
accessing federal information systems may also be required to
protect nonpublic or privacy-related information. As such,
organizational assessments of risk also address public access
to federal information systems. Risk assessments (either formal
or informal) can be conducted at all three tiers in the risk
management hierarchy (i.e., organization level,
mission/business process level, or information system level)
and at any phase in the system development life cycle. Risk
assessments can also be conducted at various steps in the Risk
Security categorization of information systems guides the

frequency and comprehensiveness of vulnerability scans.
Organizations determine the required vulnerability scanning for
all information system components, ensuring that potential
sources of vulnerabilities such as networked printers, scanners,
and copiers are not overlooked. Vulnerability analyses for
custom software applications may require additional
approaches such as static analysis, dynamic analysis, binary
analysis, or a hybrid of the three approaches. Organizations
can employ these analysis approaches in a variety of tools
(e.g., web-based application scanners, static analysis tools,
binary analyzers) and in source code reviews. Vulnerability
scanning includes, for example: (i) scanning for patch levels;
(ii) scanning for functions, ports, protocols, and services that
should not be accessible to users or devices; and (iii) scanning
for improperly configured or incorrectly operating information
flow control mechanisms. Organizations consider using tools
that express vulnerabilities in the Common Vulnerabilities and
Exposures (CVE) naming convention and that use the Open
Vulnerability Assessment Language (OVAL) to determine/test
for the presence of vulnerabilities. Suggested sources for
The
vulnerabilities
to be scanned
need
to be readily
updated as
vulnerability
information
include the
Common
Weakness
new
vulnerabilities
discovered,
announced,
and scanning
Enumeration
(CWE)are
listing
and the National
Vulnerability
methods
This updating
process
helps
to ensuresuch
that
Databasedeveloped.
(NVD). In addition,
security
control
assessments
potential
vulnerabilities
in
the
information
system
are
identified
as red team exercises provide other sources of potential
and
addressedfor
as which
quicklytoas
possible.
vulnerabilities
scan.
Organizations also consider
using tools that express vulnerability impact by the Common
Vulnerability Scoring System (CVSS).
Discoverable information includes information that adversaries
could obtain without directly compromising or breaching the
information
system, for
collecting
information
the
In certain situations,
theexample,
nature ofby
the
vulnerability
scanning
system
is
exposing
or
by
conducting
extensive
searches
of
the
may be more intrusive or the information system component
web.
Corrective
actions
can
include,
for
example,
notifying
that is the subject of the scanning may contain highly sensitive
appropriate
personnel,
removing
designated
information. organizational
Privileged access
authorization
to selected
system
information,
or
changing
the
information
system
to
make
components facilitates more thorough vulnerability scanning
designated
information
less relevant
to
and also protects
the sensitive
natureorofattractive
such scanning.
adversaries.
Technical surveillance countermeasures surveys are performed

by qualified personnel to detect the presence of technical
surveillance
devices/hazards
and to identify
technical
This control addresses
the establishment
of policy
andsecurity
weaknesses
that
could
aid
in
the
conduct
of
technical
penetrations
of surveyed
facilities.
Such surveys
provide
security controls
and control
enhancements
in the
SA family.
evaluations
of
the
technical
security
postures
of
organizations
and
facilities
and typically
include
thorough
visual, and
electronic,
Orders,
directives,
regulations,
policies,
standards,
and
physical
examinations
in
and
about
surveyed
facilities.
guidance. Security program policies and procedures at the The
surveys
also level
provide
useful
input
into risk
and
organization
may
make
the need
for assessments
system-specific
organizational
exposure
to
potential
adversaries.
Resource allocation for information security includes funding

for the initial information system or information system service
acquisition and funding for the sustainment of the
system/service.
A well-defined system development life cycle provides the

foundation for the successful development, implementation,
and operation of organizational information systems. To apply
the required security controls within the system development
life cycle requires a basic understanding of information
security, threats, vulnerabilities, adverse impacts, and risk to
critical missions/business functions. The security engineering
principles in SA-8 cannot be properly applied if individuals that
design, code, and test information systems and system
components (including information technology products) do not
understand security. Therefore, organizations include qualified
personnel, for example, chief information security officers,
Information
system security
components
are discrete,
identifiable
security architects,
engineers,
and information
system
information
technology
assets
(e.g., hardware,
software,
or to
security officers
in system
development
life cycle
activities
firmware)
that
represent
the
building
blocks
of
an
information
ensure that security requirements are incorporated into
system.
Information
systemsystems.
components
includeimportant
commercial
organizational
information
It is equally
that
information
technology
products.
Security
functional
developers include individuals on the development team that
requirements
include security
security expertise
capabilities,
possess the requisite
andsecurity
skills tofunctions,
ensure
and
mechanisms.
Security
requirements
that security
needed security
capabilities
arestrength
effectively
integrated into
associated
with system.
such capabilities,
functions, and
the information
Security awareness
and mechanisms
training
include
degree
of
correctness,
completeness,
resistance
to
programs can help ensure that individuals having
key security
direct
attack,
and
resistance
to
tampering
or
bypass.
Security
roles and responsibilities have the appropriate experience,
assurance
requirements
include:assigned
(i) development
processes,
skills, and expertise
to conduct
system development
procedures,
practices,
and
methodologies;
and
(ii)
evidence
life cycle activities. The effective integration of security
from
development
and
assessment
activities
providing
grounds
requirements into enterprise architecture also helps to ensure
for
confidence
that
the
required
security
functionality
has
that important security considerations are addressed earlybeen
in
implemented
and
the
required
security
strength
has
been
the system development life cycle and that those
achieved.
Security
documentation
requirements
address all
considerations
are directly
related to
the organizational
phases
of
the
system
development
life
cycle.
Security
mission/business processes. This process also facilitates the
functionality,
and documentation
requirements
integration of assurance,
the information
security architecture
into theare
expressed
in
terms
of
security
controls
and
control
enterprise architecture, consistent with organizational risk
enhancements
that
have beensecurity
selectedstrategies.
through the tailoring
management and
information
process. The security control tailoring process includes, for
example, the specification of parameter values through the use
Functional properties of security controls describe the

functionality (i.e., security capability, functions, or
mechanisms)
at the different
interfaces
of the
Organizations visible
may require
levels
ofcontrols
detail inand
design
specifically
exclude
functionality
and
data
structures
internal to
and implementation documentation for security controls
the
operationorganizational
of the controls.
employed
information
systems,
Following ainwell-defined
system
development
lifesystem
cycle that
components,
or
information
system
services
based
includes state-of-the-practice software developmenton
methods,
mission/business
requirements,
requirements
systems/security engineering
methods,
qualityfor
control
trustworthiness/resiliency,
and requirements
for analysis
and
processes, and testing, evaluation,
and validation
techniques
testing.
Information
systems
can
be
partitioned
into
multiple
helps to reduce the number and severity of latent errors within
Security
configurations
include,
for example,
the
U.S.contain
subsystems.
Each subsystem
within
the system
can
information
systems,
system
components,
and
information
Government
Configuration
Baseline
(USGCB)
and
one
or more
modules.
The high-level
design for
the
system
is
system
services.
Reducing
the
number/severity
ofany
such
errors
limitations
on
functions,
ports,
protocols,
and
services.
Security
expressed
in
terms
of
multiple
subsystems
and
the
interfaces
reduces the number of vulnerabilities in those systems,
characteristics
include,
for example,
requiring that
all default
between
subsystems
providing
security-relevant
functionality.
components,
and
services.
passwords
have
beenfor
changed.
The low-level
design
the system is expressed in terms of
modules with particular emphasis on software and firmware
(but not excluding hardware) and the interfaces between
COTS
IA or
IA-enabled
information technology
products
used
to
modules
providing
security-relevant
functionality.
Source
code
protect
classified
information
cryptographic
may be
and hardware
schematics
are by
typically
referred means
to as the
required
to use NSA-approved
management.
implementation
representationkey
of the
information system.
The objective of continuous monitoring plans is to determine if

the complete set of planned, required, and deployed security
controls
within theofinformation
system,
system component,
The identification
functions, ports,
protocols,
and servicesor
information
system
service
continue
to
be
effective
overthe
time
early in the system development life cycle (e.g., during
based
on the inevitable
changes
occur.
Developer
initial requirements
definition
andthat
design
phases)
allows
continuous
monitoring
plans
include
a
sufficient
level of detail
organizations to influence the design of the information
such
thatinformation
the information
can
be incorporated
into the system
system,
system
component,
or information
This
control
helps
organizational
personnel
understand
the
continuous
monitoring
strategies
and
programs
implemented
service. This early involvement in the life cycle helps
implementation
operation
of security
associated
by
organizations.
organizations
to and
avoid
or minimize
the usecontrols
of functions,
ports,
with
information
systems,
system
components,
and
information
protocols, or services that pose unnecessarily high risks
and
system
services.
Organizations
consider
establishing
understand
the trade-offs
involved
in blocking
specificspecific
ports,
measures
quality/completeness
of the
content
protocols, to
or determine
services (orthe
when
requiring information
system
provided.
The
inability
to
obtain
needed
documentation
may
service providers to do so). Early identification of functions,
occur,
for example,
to theavoids
age ofcostly
the information
ports, protocols,
anddue
services
retrofitting of
system/component
or
lack
of
support
developers
security controls after the informationfrom
system,
system and
contractors.
In
those
situations,
organizations
may
component, or information system service has beenneed to
recreate
selected
documentation
if such documentation
implemented.
SA-9
describes requirements
for external is
essential
to system
the effective
implementation
or operation
of
information
services
with organizations
identifying
security
controls.
The
level
of
protection
provided
for
selected
which functions, ports, protocols, and services are provided
information
system,
component, or service documentation is
from external
sources.
commensurate with the security category or classification of
the system. For example, documentation associated with a key
DoD weapons system or command and control system would
typically require a higher level of protection than a routine
Organizations apply security engineering principles primarily to

new development information systems or systems undergoing
major
upgrades.
For legacy
apply
External
information
systemsystems,
services organizations
are services that
are
security
engineering
principles
to
system
upgrades
and
implemented outside of the authorization boundaries of
modifications
the extentsystems.
feasible, This
given
the current
statethat
of
organizationalto
information
includes
services
hardware,
software,
and
firmware
within
those
systems.
are used by, but not a part of, organizational information
Security
principles
for example:
(i)
systems.engineering
FISMA and OMB
policyinclude,
require that
organizations
developing
layered
protections;
(ii)
establishing
sound
security
using external service providers that are processing, storing,
or
policy,
architecture,
and
controls
as
the
foundation
for
design;
transmitting federal information or operating information
(iii)
incorporating
requirements
into the
system
systems
on behalfsecurity
of the federal
government
ensure
that such
development
life
cycle;
(iv)
delineating
physical
and
providers meet the same security requirements that logical
federal
security
boundaries;
ensuring
that system establish
developers are
agencies
are
required(v)
to
meet. Organizations
Dedicated
information
security
services include,
for example,
trained
on
how
to
build
secure
software;
(vi)
tailoring
security
relationships
with
external
service
providers
in
a
variety
of
incident
monitoring,
analysis
and
response,
operation
of(vii)
controls
to meetfor
organizational
and operational
needs;
ways
including,
example,
through
joint
ventures,
business
information
security-related
devices
such
firewalls,
or key
performing
threat
modeling
to
identify
useascases,
threat
partnerships,
contracts,
interagency
agreements,
lines of
management
services.
agents,
vectors, and
attackagreements,
patterns as well
businessattack
arrangements,
licensing
and as
supply
compensating
controls
and
design
patterns
needed
to mitigate
chain exchanges. The responsibility for managing risks
from
risk;
and
(viii)
reducing
risk
to
acceptable
levels,
thus
enabling
the use of external information system services remains with
informed
risk
management
decisions.
authorizing
officials.
For services
external to organizations, a
chain of trust requires that organizations establish and retain a
level of confidence that each participating provider in the
potentially complex consumer-provider relationship provides
adequate protection for the services rendered. The extent and
nature of this chain of trust varies based on the relationships
Information from external service providers regarding the

specific functions, ports, protocols, and services used in the
provision
of of
such
services that
can be
useful
when the
The degree
confidence
theparticularly
risk from using
external
need
arises
understand
trade-offs
involved
in restricting
services
is attoan
acceptablethe
level
depends
on the trust
that
certain
functions/services
or
blocking
certain
ports/protocols.
organizations
place
in
the
external
providers,
individually
or in
As organizations increasingly use external service providers,
combination.
Trust
relationships
can
help
organization
to
gain
the possibility exists that the interests of the service providers
increased
levels
oforganizational
confidence that
participating
service
may
diverge
from
interests.
In such
situations,
The
location
of
information
processing,
information/data
providers
are
providing
adequate
protection
for
the
services
simply
having
the correct
technical,
procedural,
or
operational
storage,
or
information
system
services
that
are
critical
rendered.
Such
relationships
cansufficient
be complicated
due to to
the
safeguards
in can
place
maya not
be
ifthe
theability
service
organizations
have
direct
impact
on
of those
This
control
also
applies
to
organizations
conducting
internal
number
of
potential
entities
participating
in
the
consumerproviders
thatto
implement
andexecute
control their
thosemissions/business
safeguards are not
organizations
successfully
information
systems
development
and the
integration.
provider
interactions,
subordinate
relationships
and of
levels
of
operating
in
a
manner
consistent
with
interests
the
functions.
Thistypes
situation
exists
when
external
providers
control
Organizations
consider
the
quality
and
completeness
of
the
trust,
and
the
of
interactions
between
the
parties.
In
consuming
organizations.
Possible
actions
that The
organizations
the
location
of
processing,
storage
or conducted
services.
criteria
configuration
management
activities
by
developers
some
cases,
the
degree
of
trust
is
based
on
the
amount
of
might
take
to
address
such
concerns
include,
for
example,
external
providers
use
for
the
selection
of
processing,
storage,
as
evidence
of
applying
effective
security
safeguards.
direct
control
organizations
are
able
to
exert
on
external
requiring
background
checks
for selected
provider
or
service
locations
may
be different
from service
organizational
Safeguards
include,
forownership
example,
protecting
from
unauthorized
service
providers
with
regard
to employment
of security
personnel,
examining
records,
employing
onlythat
criteria.
For
example,
organizations
may
want
to
modification
or destruction,
the
master
of ensure
all
material
controls
necessary
for
the protection
of copies
the
service/information
trustworthy
service
providers
(i.e.,
providers
with
which
data/information
storage
locations
are
restricted
certain
used
to generate
security-relevant
portions
of and
thetosystem
and
the
evidence
brought
forth as
to
the
effectiveness
of those
organizations
have
had
positive
experiences),
conducting
locations
to
facilitate
incident
response
activities
(e.g.,
hardware,
software,
firmware.
Maintaining
the integrity
controls.
The
level ofand
control
typically
established
by forensic
the of
periodic/unscheduled
visits
toisservice
provider
facilities.
analyses,
after-the-fact
investigations)
in
case
of
information
changes
toconditions
the information
information
system
terms and
of the system,
contracts
or service-level
security
breaches/compromises.
Such
incident
response
component,
or
information
service
requires
agreements
and
can range system
from extensive
control
(e.g.,
activities
may
be
adversely
affected
by
the
governing
lawslife
or
configuration
control throughout
the system
development
negotiating contracts
or agreements
that specify
security
protocols
in
the
locations
where
processing
and
storage
occur
cycle
to track for
authorized
changes
requirements
the providers)
to and
veryprevent
limited unauthorized
control (e.g.,
and/or
theConfiguration
locations
from
which
information
services
changes.
items
that
are placedsystem
using contracts
or service-level
agreements
tounder
obtain
emanate.
This
control services
enhancement
allows
organizations
to detectby
configuration
management
(if
existence/use
is required
commodity
such as
commercial
telecommunications
unauthorized
changes
toinclude:
software
and
firmware
components
other
security
controls)
the
formal
thefactors
services).
In other
cases,
levels of
trust
are model;
based
on
through
the
use
of
tools,
techniques,
and/or
mechanisms
functional,
high-level,
and
low-level
design
specifications;
that
convince
organizations
that
required
security
controls
have
Alternate configuration management processes may be other
provided
by
developers.
Integrity
checking
mechanisms
can
design
data;
implementation
documentation;
source
code and
been
employed
and that
determinations
ofuse
control
required,
for example,
when
organizations
commercial
offalso
address
counterfeiting
of
software
and
firmware
hardware
schematics;
the
running
version
of
the
object
code;
effectiveness
exist.
For
example,
separately
authorized
the-shelf
(COTS)
information
technology
products.
Alternate
This
control
enhancement
allows
organizations
to organizations
detect
components.
Organizations
verify
the
integrity
of
software
and
tools
for comparing
new
versions
of
security-relevant
hardware
external
information
system
services
provided
to
configuration
management
processes
include organizational
unauthorized
changes
to
hardware
components
through
the
firmware
components,
for
example,
through
secure
one-way
descriptions
and
software/firmware
source
code
with
previous
through
well-established
business
relationships
may
provide
personnel
that:
(i) are responsible
for reviewing/approving
use
of
tools,
techniques,
and/or
mechanisms
provided
by range
This
control
enhancement
addresses
changes
toDepending
hardware,
hashes
provided
by
developers.
Delivered
and
versions;
test
fixtures
and
documentation.
on
degrees
ofand
trust
in
such
services
within
thesoftware
tolerable
risk
proposed
changes
to
information
systems,
system
components,
developers.
Organizations
verify
the
integrity
of
hardware
software,
and
firmware
components
between
versions
during
firmware
components
also
include
any
updates
to
such
the
mission/business
needs
of
organizations
and
the
nature
of
of
the
organizations
using
the
services.
External
service
and
information
system
services;
and (ii) conduct
security
components,
for
example,
with
hard-to-copy
labels
andprovide
development.
In
contrast,
SA-10
(1)
and
SA-10
(3)
allow
components.
the
contractual
relationships
in
place,
developers
may
providers
may
also
outsource
selected
services
to
other
This
control
enhancement
addresses
changes
hardware,
impact
analyses
prior to the
implementation
oftoany
changes
to
verifiable
serial
numbers
provided
by
developers,
and
by and
organizations
to
detect
unauthorized
changes
to
hardware,
configuration
management
support
during
the
operations
external
entities,
making
the
trust (e.g.,
relationship
more
difficult
software,
and
firmware
components
during
initial
development
systems,
components,
or
services
a
configuration
control
requiring
the implementation
ofcycle.
anti-tamper
technologies.
software,
firmware
components
through
thenature
use
tools,
maintenance
phases
ofcycle
the life
and during
complicated
to life
manage.
Depending
the
of
the
and
system
updates.
Maintaining
theofintegrity
board
thatand
considers
security
impacts
of on
changes
during
The
trusted
distribution
of
security-relevant
hardware,
Delivered
hardware
components
also
include
updates
to
such
techniques,
and/or
mechanisms
provided
by
developers.
services,
organizations
may
find
it
very
difficult
to
place
between
the
master
copies
of
security-relevant
hardware,
development
includes
representatives
of both
the
software,
and and
firmware
updates
helps to ensure
that
such
components.
significant
trust
inthe
external
providers.
This
is not
due to
any
software,
and
firmware
(including
designs
and
source
code)
organization
and
developer,
when
applicable).
updates
are
faithful
representations
of
the
master
copies
Developmental
security
testing/evaluation
occurs
at
all
postinherent
untrustworthiness
on
the
part
of
providers,
but
to the
and
the equivalent
data in master
copies
in operational
maintained
by of
thethe
developer
and have
noton-site
been
tampered
with
design
phases
system
development
life
cycle.
Such
intrinsic
level
of
risk
in
the
services.
environments
is essential to ensure the availability of
during
distribution.
testing/evaluation
confirmssystems
that thesupporting
required security
critical controls
missions
are
implemented
correctly,
operating
as
intended,
enforcing
and/or business functions.
the desired security policy, and meeting established security
requirements. Security properties of information systems may
be affected by the interconnection of system components or
changes to those components. These interconnections or
changes (e.g., upgrading or replacing applications and
operating systems) may adversely affect previously
implemented security controls. This control provides additional
types of security testing/evaluation that developers can
conduct to reduce or eliminate potential flaws. Testing custom
software applications may require approaches such as static
analysis, dynamic analysis, binary analysis, or a hybrid of the
three approaches. Developers can employ these analysis
approaches in a variety of tools (e.g., web-based application
scanners, static analysis tools, binary analyzers) and in source
code reviews. Security assessment plans provide the specific
activities that developers plan to carry out including the types
Static code analysis provides a technology and methodology

for security reviews. Such analysis can be used to identify
security
vulnerabilities
and
enforce security
coding
practices.
Applications
may deviate
significantly
from the
functional
and
Static
code
analysis
is
most
effective
when
used
early
in
the
design specifications created during the requirements and
development
process,
when each
code change
can be
design
phases
of thehave
system
development
life cycle.
Therefore,
Independent
agents
the
necessary
qualifications
automatically
scanned
for
potential
weaknesses.
Static(i.e.,
analysis
threat
and
vulnerability
analyses
of
information
systems,
expertise,
skills,
training,
and experience)
to verify
the correct
can
provide
clear
remediation
guidance
along
with
defects
system
components,
and information
system
services
prior to
to
implementation
of developer
security
assessment
plans.
enable
developers
to
fix
such
defects.
Evidence
of
correct
delivery are critical to the effective operation of those systems,
implementation
static analysis
for example,
components, andofservices.
Threatcan
andinclude,
vulnerability
analyses at
aggregate
defect
density
for
critical
defect
types,
evidence
that
this phase of the life cycle help to ensure that design
or
defects
were
inspected
by
developers
or
security
professionals,
implementation changes have been accounted for, and that
and
evidence
that defects
were as
fixed.
An excessively
high
any
new
vulnerabilities
created
a result
of those
changes
Manual
code
reviews
are
usually
reserved
for
the
critical
density
of ignored
findings
(commonly referred to as ignored or
have
been
reviewed
and
mitigated.
software
and
firmware
components
information
systems.
false positives)
indicates
a potentialof
problem
with the
analysis
Such
code
reviews
are
uniquely
effective
at
identifying
Penetration
testing
is ancases,
assessment
methodology
process or tool.
In such
organizations
weigh in
thewhich
validity
weaknesses
thatagainst
require
knowledge
of other
thetechnology
applications
assessors,
using
all
available
information
of the evidence
evidence
from
sources. product
requirements
or context
which
are generally
unavailable to
and/or
information
system
documentation
Attack
surfaces
ofanalytic
information
systems
are(e.g.,
exposed
areas
that
more
automated
tools
and
techniques
suchand
as static
or
product/system
design
specifications,
source
code,
make
those
systems
more
vulnerable
to
cyber
attacks.
This
dynamic
analysis. Components
benefiting
fromunder
manual
review
administrator/operator
manuals)
andweaknesses
working
specific
includes
any
accessible
areas where
or
Verifying
that
security
testing/evaluation
provides
complete
include
for
example,
verifying
access
control
matrices
against
constraints,
attempt
to circumvent
implemented
deficiencies
in information
systems
(including
thesecurity
hardware,
coverage
ofinformation
required
security
controls
can
beand
accomplished
application
controls
and
reviewing
more
detailed
aspects
of by
features
of
technology
products
information
software,
and
firmware
components)
provide
opportunities
for
a
variety
of
analytic
techniques
ranging
from
informal
to
cryptographic
implementations
and
controls.
Dynamic
code
analysis
provides
verification
ofwhite,
systems.
Penetration
testing
canrun-time
include,
for
example,
adversaries
to
exploit
vulnerabilities.
Attack
surface
reviews
formal.
Each
ofbox
these
techniques
provides
an increasing
level
software
programs,
using
tools
capable
of
monitoring
gray,
orthat
black
testing
with
analyses
performed
by programs
skilled
ensure
developers:
(i)
analyze
both
design
and
of
assurance
corresponding
to
theadversary
degree
ofactions.
formality
of the
for
memory
corruption,
user
privilege
issues,
and and
other
security
professionals
simulating
The
Information
systems
(including
system
components
that
implementation
changes
to information
systems;
(ii)
analysis.
Rigorously
demonstrating
security
control
coverage
at
potential
security
problems.
Dynamic
analysis
employs
objective
of penetration
testing
isbe
to
uncover
potential
compose
those
systems)
need
to
protected
the
mitigate
attack
vectors
generated
as
acode
result
ofthroughout
the
changes.
the
highest
levels
of
assurance
can
be
provided
by
the
use
of
run-time
tools
to
helplife
toflaws
ensure
thatduring
security
functionality
vulnerabilities
in information
technology
products
and
system
development
cycle
(i.e.,
design,
Correction
of
identified
includes,
for
example,
deprecation
The
use
of
acquisition
and
procurement
processes
by
formal
modeling
and
analysis
techniques
including
correlation
performs
in
the
manner
in
which
it
was
designed.
A
specialized
information
systems
resulting
from
implementation
errors,
development,
manufacturing,
packaging,
assembly,
of
unsafecontrol
functions.
organizations
early
in
the
system
development
life
cycle
between
implementation
and
corresponding
test cases.
type
of dynamic
analysis,
known
as fuzz testing,
induces
configuration
faults,
or other
operational
deployment
distribution,
system
integration,
operations,
maintenance,
and
provides
an
important
vehicle
to
protect
the
supply
chain.
Supplier
reviews
include,
for
example:
(i)tests
analysis
of systems
supplier
program
failures
by
deliberately
introducing
malformed
or
weaknesses
or deficiencies.
Penetration
can be
performed
retirement).
Protection
of
organizational
information
is
Organizations
use
available
all-source
intelligence
analysis
processes
used
tosoftware
design,
develop,
test,
implement,
verify,
random
data
into
programs.
Fuzz
testing
strategies
in
conjunction
with
automated
and manual
code
reviews
to to
accomplished
through
threat
awareness,
by
the
identification,
inform
the
tailoring
of
acquisition
strategies,
tools,
and
deliver,
and
support
information
systems,
system
components,
derive
from
the
intended
useof
ofvulnerabilities
applications
and
the
functional
provide
greater
levels
of analysis
than
would
ordinarily
be
management,
and
reduction
atand
each
phase
of
methods.
There
are
a
number
of
different
tools
techniques
and
information
system
services;
and
(ii)
assessment
of
design
specifications
for
the
applications.
To
understand
possible.
the
life cycle
and
the use of
complementary,
mutually system
available
(e.g.,
obscuring
the
endinuse
of hence
an information
supplier
training
and experience
developing
systems,
the
scope
ofstrategies
dynamic
code
analysis
and
the assurance
reinforcing
to
respond
to
risk.
Organizations
consider
or
system organizations
component,
using
blind
or filtered
buys). capability.
components,
or
services
with
the
required
security
provided,
may
also
consider
conducting
code
implementing
a
standardized
process
to
address
supply
chain
Organizations
also
consider
creating
incentives
for
suppliers
These
reviews
provide
organizations
withto
increased
levels
coverage
analysis
(checking
thesystems
degree
which
the
code of
has
risk
with
respect
to
information
and
system
who:
(i)
implement
required
security
safeguards;
(ii)
promote
Supply
chain
risk
is
part
of
the
advanced
persistent
threat
visibility
into
supplier
activities
during
the
system
development
been
tested
using
metrics
such
as
percent
of
subroutines
components,
and
to
educate
the acquisition
workforce
on
transparency
into
their
organizational
processes
and
security
(APT).
Security
safeguards
and
countermeasures
to
the
life
cycle
to
promote
more
effective
supply
chain
riskreduce
tested
orrisk,
percent
of
program
statements
called
during
threats,
and
required
security
controls.
Organizations
use
practices;
(iii)
provide
additional
vetting
of
thetoprocesses
and
probability
of
adversaries
successfully
identifying
and
targeting
management.
Supplier
reviews
can
also
help
determine
execution
of
the
test
suite)
and/or
concordance
analysis
the
acquisition/procurement
processes
to require
supply
chain
security
practices
ofthat
subordinate
suppliers,
critical
information
the
supply
chain
include,
for
example:
(i)safeguards
avoiding
the
purchase
whether
primary
suppliers
have
security
in
place
(checking
for
words
are
out
of
place
in
software
code
such
entities
to
implement
necessary
security
safeguards
to:
(i)
system
components,
andwords
services;
(iv)
restrict
purchases
from
of
custom
configurations
to
reduce
the
risk
of
acquiring
and
a
practice
for
vetting
subordinate
suppliers,
for
example,
as
non-English
language
or
derogatory
terms).
reduce
the
likelihood
of
unauthorized
modifications
at each
Assessments
include,
for
example,
testing,
evaluations,
specific
suppliers
or countries;
and
(v)
provide
contract
information
systems,
components,
or
products
that
have
been
secondand
third-tier
suppliers,
and
any
subcontractors.
stage
in the
supply
chain;
and (ii) protect
information
systems
reviews,
and
analyses.
Independent,
third-party
entities
or
language
regarding
the
prohibition
of
tainted
or
counterfeit
corrupted
via supply
chain
actions targeted
attaking
specific
and
information
system
components,
prior
to
deliverythe
of
organizational
personnel
conduct
assessments
ofminimizing
systems,
components.
In(ii)
addition,
organizations
consider
All-source
intelligence
analysis
is
employed
by
organizations
organizations;
employing
a
diverse
set
of
suppliers
to limitto
such
systems/components.
This
control
also
applies
to
components,
products,
tools,
andand
services.
Organizations
time
between
purchase
decisions
and
required
delivery
limit
inform
engineering,
acquisition,
risk
management
the
potential
harm
from
any given
supplier
in the
supplytochain;
information
system
services.
Security
safeguards
include,
for
conduct
assessments
to
uncover
unintentional
vulnerabilities
opportunities
for
adversaries
to
corrupt
information
system
decisions.
All-source
intelligence
consists
of
intelligence
(iii)
employing
approved
vendor
lists
standing
reputations
Supply
chain
information
includes,
forwith
example:
user
identities;
example:
(i)
security
controls
for
development
systems,
and
intentional
vulnerabilities
including,
for
example,
malicious
components
or
products.
Finally,
organizations
can
use
products
and/or
organizations
and
activities
that
incorporate
all
in
industry,
and
(iv)
using
procurement
carve
outs
(i.e.,
uses
for
information
systems,
information
system
components,
development
facilities,
and
external
connections
to
code,
malicious
processes,
defective
software,
and
trusted/controlled
distribution,
delivery,
and
warehousing
sources
of information,
most
including
human
exclusions
to commitments
orfrequently
obligations).
and
information
system
services;
supplier
identities;
supplier
development
systems;
(ii)
vetting
development
personnel;
and
For
some
system
especially
hardware,
counterfeits.
Assessments
cancomponents,
include,
forrequiring
example,
static
options
toinformation
reduce
supply
chain
risk
(e.g.,
tamperintelligence,
imagery
intelligence,
measurement
and
signature
processes;
security
requirements;
design
specifications;
testing
(iii)
use
of
tamper-evident
packaging
during
there
arepackaging
technical
means
to simulations,
helpand
determine
if the
components
analyses,
dynamic
analyses,
white,
gray,
and
evident
of
information
system
components
during
intelligence,
signals
intelligence,
open
source
data
in the
and
evaluation
results;
andaltered.
system/component
configurations.
shipping/warehousing.
Methods
forSecurity
reviewing
and
protecting
are
genuine
or
have
been
safeguards
used to
black
box
testing,
fuzz
testing,
penetration
testing,
and
shipping
and
warehousing).
This
control
enhancement
addresses
analysis
and/or
testing
of
production
of
finished
intelligence.
Where
available,
such
This
control
enhancement
expands
theare
scope
of OPSEC
to
development
plans,
evidence,
and documentation
are
validate
the
authenticity
of
information
systems
and
ensuring
that
components
or
services
genuine
(e.g.,
using
the
supply
chain,
not
just
delivered
items.
Supply
information
is used
to
analyze
the
risk
of both
intentional
and
include
suppliers
and
potential
suppliers.
OPSEC
ischain
a process
of
commensurate
with
the
security
category
or
classification
level
information
system
components
include,
example,
tags,
cryptographic
hash
verifications,
or for
digital
signatures).
elements
are
information
technology
products
or
product
unintentional
vulnerabilities
from
development,
manufacturing,
identifying
critical
information
and
subsequently
analyzing
of
the
information
system.
Contracts
may
specify
optical/nanotechnology
tagging
and assessments
side-channel
analysis.
Evidence
generated
during
security
components
that
contain
programmable
logicother
andis
thatThis
are For
and
delivery
processes,
people,
and
the
environment.
friendly
actions
attendant
to
operations
and
activities
to:
documentation
protection
requirements.
hardware,
detailed
bill
of
material
information
can
highlight
the
documented
for
follow-on
actions
carried
out
by
organizations.
critically
tooninformation
system
functions.
Supply
review
is important
performed
suppliers
at
multiple
tiers
in
the
supply
(i)
identify
those
actions
that
can
be
observed
by
potential
elements
with embedded
logic
complete
with component
and
chain
processes
include,
for
example:
(i) hardware,
software,
sufficient
to
manage
risks.
adversaries;
(ii)
determine
indicators
that
adversaries
might
production
location.
and
firmware
development
processes;
(ii) shipping/handling
obtain
that could
be interpreted
or pieced
together to derive
procedures;
(iii)
personnel
and
physical
security
programs;
(iv)
critical information in sufficient time to cause
harm
to
The establishment of inter-organizational agreements and

procedures provides for notification of supply chain
compromises.
Early
notification
of supply
chain compromises
Adversaries can
attempt
to impede
organizational
operations
that
can
potentially
adversely
affect
or
have
adversely
by disrupting the supply of critical information system affected
organizational
information
systems,operations.
including critical
system
components
corrupting
supplier
Safeguards
to
Knowing
whoor
and
what isfor
in
the
supply chains
of
organizations
components,
is
essential
organizations
to
provide
ensure
adequate
supplies
of
critical
information
system
is
critical to gaining
visibility
into
what is happening within such
appropriate
responses
toexample:
such
incidents.
components
include,
for
(i)and
the identifying
use of multiple
supply
chains,
as
well
as
monitoring
high-risk
Evidence
generated during
independent
or
organizational
suppliers
throughout
the
supply
chain
for
the
identified
events
and activities.
Without
reasonable
visibility
and critical
assessments
of
supply
chain
elements
(e.g.,
penetration
components;
and
(ii) stockpiling
of spare
components
to ensure
traceability
into
supply
chains (i.e.,
elements,
processes,
and
testing,
audits,
verification/validation
activities)
is documented
This
control
helps
organizations
to
make
explicit
operation
during
mission-critical
times.
actors),
it
is
very
difficult
for
organizations
to
understand
and
and
used in follow-on
processes
implemented
by organizations
trustworthiness
decisions
when
designing,
developing,
and
therefore
manage
risk,
and
to
reduce
the
likelihood
of
adverse
to
respond to the
risks related
to the
identified
weaknesses
and
implementing
information
systems
that
are
needed
to
conduct
events.
Uniquely
identifying
acquirer
and
integrator
roles,
deficiencies.
Supply
chain
elements
include,
for
example,
critical
organizational
missions/business
functions.
organizations,
personnel,
missionand
andsupplier
element
processes,
supplier
development
processes
distribution
Trustworthiness
is a characteristic/property
of
an information
testing
and
evaluation
procedures,
delivery
mechanisms,
systems.
system
expressescommunications/delivery
the degree to which the system
can be
support that
mechanisms,
paths, and
expected
to
preserve
the
confidentiality,
integrity,
and
disposal/final disposition activities as well as the components
Criticality
analysis
is a key tenet
of supply chain
risk
availability
of the
information
it processes,
stores,
or
transmits.
and tools used,
establishes
a foundational
identity
structure
for
management
informs
the
prioritization
of that
supply
chain
Trustworthy
systems
are systems
are
capable
assessment information
ofand
supply
chain
activities.
For example,
labeling
protection
activities
such
astagging
attackdefined
surface
reduction,
of allof
being
trusted
to operate
within
of riskuse
despite
(using
serial
numbers)
and
(using levels
radio-frequency
source
intelligence,
and
tailored
acquisition
strategies.
the
environmental
disruptions,
human
errors,
and
purposeful
identification [RFID] tags) individual supply chain elements
Information
system
engineers
can conduct
an
end-to-end
attacks
that
are expected
to occur
in the
specified
including
software
packages,
modules,
and
hardware
devices,
Development
tools
include,
for
example,
programming
functional
decomposition
of
an
information
system
to
environments
of
operation.
Trustworthy
systems
are
important
and
processes
associated
with those
elements
can be identify
used
for
languages
and
computer-aided
design
(CAD)
systems.
Reviews
mission-critical
functions
and
components.
The functional
to
mission/business
success.
Two
factors
affecting
thesupport
this
purpose.
Identification
methods
are
sufficient
to
of
developmentincludes
processes
include, for
the use of
decomposition
thecan
identification
ofexample,
core
organizational
trustworthiness
of
information
systems
include:
(i)
security
the
provenance
in
the
event
ofthe
a supply
chain
issue
or adverse
maturity
models
to
determine
potential
effectiveness
missions
supported
bysecurity
the system,
decomposition
into theof
functionality
(i.e.,
the
features,
functions, and/or
supply
chain
event.
such
processes.
Maintaining
the
integrity
of
changes
to tools to
specific
functions
to perform
missions,
traceability
mechanisms
employed
withinthose
the system
andand
its environment
and
processes
enables
accurate
supply
chain
risk
assessment
the
hardware, and
software,
and firmware
components
that
of operation);
(ii) security
assurance
(i.e., the grounds
for
and
mitigation,
requiresincluding
robust configuration
control
implement
those
functions,
when
functions
confidence
that and
the
security
functionality
is the
effective
in itsare
throughout
the
life
cycle (including
development,
shared
by many
components
withindesign,
and operators,
beyond
theand
application).
Developers,
implementers,
transport,
delivery,
integration,
and
maintenance)
to
information
boundary. information
Informationsystems
system components
maintainers system
of organizational
cantrack
increase
authorized
changes
and
prevent
unauthorized
changes.
that
allow
for
unmediated
access
to
critical
components
orby
the level of assurance (and trustworthiness), for example,
functions
consideredsecurity
critical due
to models,
the inherent
employingare
well-defined
policy
structured and
vulnerabilities
suchsoftware,
components
Criticality
is assessed
rigorous hardware,
andcreate.
firmware
development
in
terms of the
impact
of the function
or component
failureand
on
techniques,
sound
system/security
engineering
principles,
the
ability
of the component
complete
organizational
secure
configuration
settingsto
(defined
by the
a set
of assurancemissions
supported
by the
A criticality
related security
controls
in information
Appendix E).system.
Assurance
is also
analysis
performed
whenever
an architecture
design
based onisthe
assessment
of evidence
produced or
during
theis
Organizations
useorquality
metrics
to establish
minimum
being
modified,
including
upgrades.
systemdeveloped
development
life cycle.
Critical
missions/business
acceptable
levels
of information
system systems
quality. Metrics
functions are
supported
by high-impact
and themay
include
quality
gates
which
are
collections
of
completion
associated assurance requirements for such systems. The
criteria
or sufficiency
standards
the satisfactory
additional
assurance controls
in representing
Table E-4 in Appendix
E
execution
of as
particular
phases
the system
development
(designated
optional)
can beofused
to develop
and
project.
A quality
gate, for example,
requireinformation
the
implement
high-assurance
solutions may
for specific
elimination
all compiler
warnings
or an
explicit
systems andofsystem
components
using
the
concept of overlays
Information
development
teams
select
and
determination
that the
have
no
impact
ondeploy
the
described insystem
Appendix
I.warnings
Organizations
select
assurance
security
tools,
example, During
effectiveness
of required
security for
capabilities.
the
overlays tracking
that have
beenincluding,
developed,
validated,
and approved
vulnerability/work
item
tracking
systems
that
facilitate
execution
phases
of
development
projects,
quality
gates
for
community
adoption
(e.g.,
cross-organization,
This control enhancement provides developer input to the
assignment,
sorting,
filtering,
and
tracking
ofofcompleted
work
provide
clear,
unambiguous
indications
of progress.
Other
governmentwide),
limiting
the
development
such
overlays
criticality
analysis
performed
by
organizations
in
SA-14.
items
or
tasks
associated
with
system
development
processes.
metrics
apply
to
the
entire
development
project.
These
metrics
on an organization-by-organization
Organizations
Developer
input is essential to suchbasis.
analysis
because can
can
include
defining
the
severity
thresholds
of vulnerabilities,
conduct
criticality
as
described
in SA-14,
to determine
organizations
mayanalyses
not
have
access
to detailed
design
for
example,
requiring
no
known
vulnerabilities
in
the
delivered
the
information
systems,
system
components,
or
information
documentation for information system components that
are
information
system
with
a
Common
Vulnerability
Scoring
system
services
that
require
high-assurance
solutions.
developed as commercial off-the-shelf (COTS) information
System
(CVSS)
severity
of Medium
orspecifications,
High. overlays
Trustworthiness
requirements
and assurance
can be
technology
products
(e.g.,
functional
high-level
describedlow-level
in the security
plans
organizational
information
designs,
designs,
and for
source
code/hardware
systems.
schematics).
Attack surface reduction is closely aligned with developer

threat and vulnerability analyses and information system
architecture
and
design. Attack
surface
reduction
is a means of
Developers of
information
systems,
information
system
reducing
risk
to
organizations
by
giving
attackers
less
components, and information system services consider the
opportunity
to exploit weaknesses
or deficiencies
(i.e.,
effectiveness/efficiency
of current development
processes
for
potential
vulnerabilities)
within
information
systems,
meeting quality objectives and addressing security capabilities
information
system
components, and information system
in current threat
environments.
services. Attack surface reduction includes, for example,
applying the principle of least privilege, employing layered
defenses, applying the principle of least functionality (i.e.,
restricting ports, protocols, functions, and services),
deprecating unsafe functions, and eliminating application
programming interfaces (APIs) that are vulnerable to cyber
attacks.
Analysis of vulnerabilities found in similar software applications

can inform potential design or implementation issues for
information
systems
under
development.
Similar information
The use of live
data in
preproduction
environments
can result
systems
or
system
components
may
exist
within
developer
in significant risk to organizations. Organizations can minimize
organizations.
Authoritative
vulnerability
information
is
such
risk by using
test plan
or dummy
data during
the development
The
incident
response
for developers
of information
available
from
a
variety
of
public
and
private
sector
sources
and
testing
of information
systems,
informationsystem
systemservices
systems,
system
components,
and information
including,
for and
example,
the National
Vulnerability
Database.
components,
information
system
services.
is
incorporated
intodocumentation
organizational from
incident
plans to
Archiving
relevant
the response
development
provide
the
type
of
incident
response
information
not
readily
process can provide a readily available baseline of information
available
to helpful
organizations. information
Such information
may be extremely
that
can
be
system/component
This
control
applies during
towhen
external
and internal
(in-house)
helpful,
for
example,
organizations
respond
to
upgrades
or Training
modifications.
developers.
of personnel
is an essential
to
vulnerabilities
in commercial
off-the-shelf
(COTS)element
information
ensure
the
effectiveness
of
security
controls
implemented
This
control products.
is primarily directed at external developers,
technology
within
organizational
Training options
although it could alsoinformation
be used for systems.
internal (in-house)
include,
for example,
classroom-style
training,
web- at internal
development.
In contrast,
PL-8 is primarily
directed
based/computer-based
training,
and
hands-on
training.
developers to help ensure that organizations develop an
Organizations
can also
request sufficient
training
materials
architecture
and such
security
architecture
from
developers
to
conduct
in-house
training
or
offer
selfis integrated or tightly coupled to the enterprise architecture.
training
to organizational
personnel.
Organizationsoutsource
determine
This distinction
is important
if/when organizations
the
type
of
training
necessary
and
may
require
different
types
the development of information systems, information system
of
training
for
different
security
functions,
controls,
or
components, or information system services to external
mechanisms.
entities,
and there
is a requirement
to demonstrate
consistency
Formal models
describe
specific behaviors
or security
policies
with
the
organizations
enterprise
architecture
and
using formal languages, thus enabling the correctness of those
information
security
behaviors/policies
to architecture.
be formally proven. Not all components of
information systems can be modeled, and generally, formal
specifications are scoped to specific behaviors or policies of
interest (e.g., nondiscretionary access control policies).
Organizations choose the particular formal modeling language
and approach based on the nature of the behaviors/policies to
be described and the available tools. Formal modeling tools
include, for example, Gypsy and Zed.
Security-relevant hardware, software, and firmware represent

the portion of the information system, component, or service
that must be trusted to perform correctly in order to maintain
required security properties.
Correspondence is an important part of the assurance gained

through modeling. It demonstrates that the implementation is
an accurate transformation of the model, and that any
additional code or implementation details present have no
impact on the behaviors or policies being modeled. Formal
methods can be used to show that the high-level security
properties are satisfied by the formal information system
description, and that the formal system description is correctly
implemented by a description of some lower level, for example
a hardware description. Consistency between the formal toplevel specification and the formal policy models is generally not
amenable to being fully proven. Therefore, a combination of
formal/informal methods may be needed to show such
consistency. Consistency between the formal top-level
Correspondence
animplementation
important part of
therequire
assurance
gained
specification andisthe
may
the use
of an
through
It demonstrates
that the
informal modeling.
demonstration
due to limitations
inimplementation
the applicabilityisof
an
accurate
transformation
of the
the specification
model, and that
any
formal
methods
to prove that
accurately
additional
or implementation
details
presentand
hasfirmware
no
reflects thecode
implementation.
Hardware,
software,
impact
on thestrictly
behaviors
or policies
being modeled.
mechanisms
internal
to security-relevant
hardware,
Consistency
the
descriptive
top-levelmapping
specification
software, andbetween
firmware
include,
for example,
registers
(i.e.,
high-level/low-level
design) and the formal policy model is
and direct
memory input/output.
generally not amenable to being fully proven. Therefore, a
combination of formal/informal methods may be needed to
show such consistency. Hardware, software, and firmware
mechanisms strictly internal to security-relevant hardware,
software, and firmware include, for example, mapping registers
and direct memory input/output.
Anti-tamper technologies and techniques provide a level of

protection for critical information systems, system components,
and
information
technology
products
against aand
number
of
Organizations
use
a combination
of hardware
software
related
threats
including
modification,
reverse
engineering,
and
techniques for tamper resistance and detection. Organizations
substitution.
Strong identification
combined
with tamper
employ obfuscation
and self-checking,
for example,
to make
resistance
and/or
tamper
detection
is
essential
to protecting
reverse engineering and modifications more difficult,
timeinformation
components,
and products
during
consuming, systems,
and expensive
for adversaries.
Customization
of
distribution
whenand
in use.
information and
systems
system components can make
substitutions easier to detect and therefore limit damage.
This control enhancement addresses both physical and logical

tampering and is typically applied to mobile devices, notebook
computers,
or other system
components
taken
out of
Sources of counterfeit
components
include,
for example,
areas.
Indications
of need for inspection
manufacturers, developers,
vendors,
and contractors.
Antiinclude,
for
example,
when
individuals
return
from travel
to
counterfeiting policy and procedures support tamper
resistance
high-risk
locations.
and provide a level of protection against the introduction of
malicious code. External reporting organizations include, for
example, US-CERT.
Proper disposal of information system components helps to

prevent such components from entering the gray market.
Organizations determine that certain information system

components likely cannot be trusted due to specific threats to
and
vulnerabilities
in those
components,
for whichorthere
Because
the information
system,
system and
component,
are
no
viable
security
controls
to
adequately
mitigate
the
information system service may be employed in critical
resulting
Re-implementation
custom
development
of
activities risk.
essential
to the national or
and/or
economic
security
such
components
helps
to
satisfy
requirements
for
higher
interests of the United States, organizations have a strong
assurance.
This is accomplished
by initiating
changes The
to
interest in ensuring
that the developer
is trustworthy.
system
components
(including
hardware,
software,
and
degree of trust required of the developer may need to be
firmware)
standard
attacks
by adversaries
are
consistentsuch
with that
that the
of the
individuals
accessing
the
less
likely
to
succeed.
In
situations
where
no
alternative
Satisfying
required
anddeployed.
personnel
information
system/component/service
once
sourcing
available
and organizations
choose
not a
to
re- of
screening
criteria
includes,
for example,
providing
listing
Examplesisof
authorization
and
personnel
screening
criteria
implement
or
custom
develop
critical
information
system
all
the individuals
authorized
tobackground
perform development
activities
include
clearance,
satisfactory
checks,
citizenship,
Support
for information
system
components
includes,
for
components,
additional
safeguards
can
be
employed
(e.g.,
on
the
selected
information
system,
system
component,
or
and
nationality.
Trustworthiness
of developers
may
also include
example,
software
patches,
firmware
updates,
replacement
enhanced
auditing,
restrictions
on
source
code
and
system
information
system
service
so thatownership
organizations
can
a
review
and
analysis
of contracts.
company
andcomponents
any validate
parts,
and
maintenance
Unsupported
utility
access,
andcompany
protection
from
deletion
of
system
and
that
the
developer
has
satisfied
the
necessary
authorization
relationships
the
has
with
entities
potentially
(e.g.,
when files.
vendors are no longer providing critical software
application
and
screening
requirements.
affecting
the
quality/reliability
the systems,
or
patches),
provide
a substantialof
opportunity
for components,
adversaries to
services
being
developed.
exploit new weaknesses discovered in the currently installed
components. Exceptions to replacing unsupported system
This
control enhancement
addresses
thesystems
need tothat
provide
components
may include, for
example,
provide
continued
support for selected
information
system
components
critical mission/business
capability
where newer
technologies
that
are
no longer
by
the original
developers,
are
available
orsupported
where
systems
are
isolated
Thisnot
control
addresses
the the
establishment
ofso
policy
and that
vendors,
or
manufacturers
when
such
components
remain
installing
replacement
components
is not an of
option.
procedures
for the effective
implementation
selected
essential
to mission/business
operations. Organizations
can
security controls
and control enhancements
in the SC family.
establish
in-house
support,
for
example,
by
developing
customized
patches
for critical software
components
or secure
Orders, directives,
regulations,
and
the
services
of
external
providers
who
through
contractual
relationships,
provide
support
for system-specific
the designated
organization level
mayongoing
make the
need for
unsupported
components.
Such
contractual
relationships
policies and procedures unnecessary. The policy
can be can
include,
for
example,
Open
Source
Software
value-added
vendors.
Information system management functionality includes, for

example, functions necessary to administer databases, network
components,
workstations,ensures
or servers,
typically requires
thatand
administration
options
privileged
user
access.
The
separation
of
user
functionality
(e.g., administrator privileges) are not available to general
from
information
system management
functionality
is either
users
(including system
prohibiting
the use
of the
grey-out from
option
The
information
isolates
security
functions
physical
or
logical.
Organizations
implement
separation
of
commonly
used
to eliminate
accessibility
to such
information).
nonsecurity
functions
by means
of an isolation
boundary
system
management-related
functionality
from
user
Such
restrictions
include,
forand
example,
not presenting
(implemented
partitions
domains).
Such
isolation
Underlying
hardware
separation
mechanisms
include,
for
functionality
byvia
using
different
computers,
different
central
administration
options
until
users
establish
sessions
with
controls
access
to
and
protects
the
integrity
of
the
hardware,
example,
hardware
ring architectures,
implemented
processing
units, different
instances of commonly
operating systems,
administrator
software,
and privileges.
firmware
that
perform
those techniques,
security
functions.
within
microprocessors,
and
hardware-enforced
address
different
network
addresses,
virtualization
or
Security
function
isolation
occurscode
as aseparation
result of implementation;
Information
systems
implement
(i.e.,
segmentation
used
to
support
logically
distinct
storage
objects
combinations
of
these
or
other
methods,
as
appropriate.
This
the
functions
still be
scanned
andnonsecurity
monitored. functions)
Security
separation
of can
security
functions
from
in
with
separate
attributes
(i.e.,
readable,
writeable).
type
of
separation
includes,
for
example,
web
administrative
functions
that
are potentially
isolated
fromto
access
and
flow
In
those
instances
where
it
is
not
feasible
achieve
strict
a
number
of
ways,
including,
for
example,
through
the
interfaces
that use separate
authentication
methodsauditing,
for users
control
enforcement
functions
for rings
example,
isolation
of
functions
from security
functions,
provision
ofnonsecurity
security
kernels
viainclude,
processor
or processor
of
any
other
information
system
resources.
Separation
of it is
intrusion
detection,
andcode,
anti-virus
functions.
necessary
to
take
actions
to
minimize
the
nonsecurity-relevant
modes.
For
non-kernel
security
function
isolation
is often
The
reduction
in inter-module
to constrain
system
and user
functionality interactions
may include helps
isolating
functions
within
the
security
function
boundary.
Nonsecurity
achieved
through
file
system
protections
that
serve
to
protect
security
functions
and to manage
complexity.
of
administrative
interfaces
on different
domainsThe
andconcepts
with
functions
contained
within
the space
isolation
boundary
are
the
code and
on
disk,
and
address
protections
that
protect
coupling
cohesion
are
important
with
respect
to
modularity
additional
access
controls.
The
implementation
of layered
structures
with
minimized
considered
security-relevant
because
errors
or
maliciousness
executing
code.
Information
systems
restrict
access
to security
in
software
design.
Coupling
refers
to
the
dependencies
that in
interactions
among
security
functions
and
non-looping
layers
such
software,
virtue
ofmodules.
being
within
the mechanisms
boundary,
can
functions
through
the
use
of
access
control
and by
one
module
hasbyon
other
Cohesion
refers to the
(i.e.,
lower-layer
functions
do capabilities.
not
depend
on
higher-layer
This
control
prevents
information,
including
encrypted
impact
the
security
functions
of
organizational
information
implementing
least
privilege
While
the
ideal
is for
relationship
between
the different
functions
within functions
a particular
functions)
further
enables
the isolation
of by
security
representations
of
information,
produced
the
actions
of
prior
systems.
The
design
objective
is
that
the
specific
portions
of
all
of
the
code
within
the
security
function
isolation
boundary
module.
Good software
engineering practices rely on modular
and
management
of
complexity.
users/roles
(or
the
actions
of
processes
acting
on
behalf
of
information
systems
providing
information
security
are
of
to
only
contain
security-relevant
code,
it
is
sometimes
decomposition, layering, and minimization to reduce and prior
users/roles)
being
available
to
any
current
users/roles
(or
minimal
Minimizing
the
number
ofthe
nonsecurity
necessary
tofrom
include
nonsecurity
functions
within
isolation
manage size/complexity.
complexity,
thus
producing
software
modules
that are
current
processes)
that
obtain
access
to sharedofsystem
functions
in
security-relevant
components
information
boundary
asthe
an exception.
highly
cohesive
and
loosely
coupled.
This
control
enhancement
applies
when there
explicit
resources
(e.g.,
registers, main
memory,
hardtoare
disks)
after
systems
allows
designers
and
implementers
focus
only those
on
changes
in
information
processing
levels
during
information
resources
have been
back totoinformation
those functions
whichreleased
are necessary
provide thesystems.
desired The
system
operations,
forinexample,
during
multilevel
processing
A
variety
of
technologies
exist
toresources
limit,
or
in
cases,
control
of
information
shared
is some
also commonly
security
capability
(typically
access
enforcement).
By
and
periods
processing
with
information
at
different
eliminate
effects
of denial
service
attacks.
Forprotection.
example,
referred
tothe
as
object reuse
andof
residual
minimizing
nonsecurity
functions
within information
the
isolation
classification
levels
or
security
categories.
Organization-defined
boundary
protection
devices
can
filter
certain
types
of
packets
This
control
does
not
address:
(i)
information
remanence
which
boundaries,
the
amount
of
code
that
must
be
trusted
Restricting
the
of individuals
to approved
launch denial
ofto
service
procedures
mayability
include,
forreduced,
example,
sanitization
to
protect
information
system
components
on
internal
refers
to
residual
representation
of
data
that
has
been
enforce
security
policies
is
thus
contributing
to
attacks
requires
that the mechanisms
used for such attacks are
processes
for electronically
stored
information.
organizational
networks
from
being
directly
affected
by denial
nominally
erased
or removed;
(ii) covert
channels
(including
understandability.
unavailable.
Individuals
of
concern
can
include,
for
example,
Managing
excess
capacity
ensures
that
sufficient
capacity
is
of
service
attacks.
Employing
increased
capacity
and
storageinsiders
and/or timing
channels)
where shared
resources
are
hostile
or
external
adversaries
that
have
successfully
available
tocombined
counter
flooding
attacks.
Managing
excess
capacity
bandwidth
with
service
redundancy
also
reduce
manipulated
violate
information
flow
restrictions;
or (iii)
breached
theto
information
system
and
are
usingmay
the
system
as a
may
include,
for
example,
establishing
selected
usage
Organizations
consider
utilization
and
capacity
of
information
the
susceptibility
to
denial
of
service
attacks.
components
within
information
systems
for
which
there
are
platform
to
launch
cyber
attacks
on
third
parties.
Organizations
priorities,
quotas,
or partitioning.
system
resources
when
risk
denial
service
only
single
users/roles.
can restrict
the ability
ofmanaging
individuals
to from
connect
andoftransmit
due
to
malicious
attacks.
Denial
of
service
attacks
can
arbitrary information on the transport medium (i.e., network,
originate
from external
or internal can
sources.
Information
system
wireless spectrum).
Organizations
also limit
the ability
of
resources
to denialinformation
of service include,
example,
individualssensitive
to use excessive
system for
resources.
physical
disk
storage,
memory,
and CPU
Common
Protection
against
individuals
having
the cycles.
ability to
launch
safeguards
to
prevent
denial
of
service
attacks
related
to
denial of service attacks may be implemented on specific
Priority
protection
helps
prevent
lower-priority
processes
from
storage
utilization
and
capacity
include,
for
example,
instituting
information systems or on boundary devices prohibiting egress
delaying
or interfering
with
the information
system
servicing
disk
quotas,
configuring
information
systems
to automatically
to potential
target
systems.
any
higher-priority
processes.
Quotas
prevent
users
or
alert
administrators
when
specific
storage
capacity
Managed interfaces include, for example, gateways,thresholds
routers,
processes
from
obtaining
more
than
predetermined
amounts
are
reached,
using
file
compression
technologies
to
maximize
firewalls, guards, network-based malicious code analysis and of
resources.
This
control
does
not
apply
to
information
system
available
storage
space,
imposing
separate
partitions
for
virtualization
systems,
orand
encrypted
tunnels
implemented
components
for
which
there
are
only
single
users/roles.
system
and
user
data.
within a security architecture (e.g., routers protecting firewalls
or application gateways residing on protected subnetworks).
Subnetworks that are physically or logically separated from
internal networks are referred to as demilitarized zones or
DMZs. Restricting or prohibiting interfaces within organizational
information systems includes, for example, restricting external
web traffic to designated web servers within managed
Limiting the number of external network connections facilitates

more comprehensive monitoring of inbound and outbound
communications traffic. The Trusted Internet Connection (TIC)
initiative is an example of limiting the number of external
network connections.
This control enhancement applies to both inbound and

outbound network communications traffic. A deny-all, permitby-exception network communications traffic policy ensures
that only those connections which are essential and approved
are allowed.
This control enhancement is implemented within remote
devices (e.g., notebook computers) through configuration
settings
disable are
splitnetworks
tunnelingoutside
in those
and by
External to
networks
of devices,
organizational
preventing
those
configuration
settings
from
being
readily or
control. A proxy server is a server (i.e., information system
configurable
by
users.
This
control
enhancement
is
application)
that acts
as an intermediary
forfrom
clients
requesting
Detecting
outgoing
traffic
internal
implemented
withincommunications
the information
system
by the
detection
information
system
resources
(e.g.,
files,
connections,
web of
actions
that
may
pose
threats
to
external
information
systems
split
tunneling
(or offrom
configuration
settings that
allow split
pages,
or services)
other organizational
servers.
Client
is
sometimes
termed
extrusion
detection.
Extrusion
detection
tunneling)
in
the
remote
device,
and
by
prohibiting
the
requests
established
through
an
initial
connection
to
the
proxy
at
information
system
boundaries
as
partsplit
of managed
connection
if the
remote
device is
using
tunneling.
Split
server
are
evaluated
to
manage
complexity
and
to
provide
interfaces
includes
analysis
incoming
and
tunneling
might
be the
desirable
by of
remote
users
to outgoing
communicate
additional
protection
bysearching
limiting
direct
connectivity.
Web
communications
traffic
for
indications
of
internal
with
local
information
system
resources
such
as
printers/file
content
filtering
devices
are
one ofsystems.
the mostSuch
common
proxy
threats
to
the security
external
threats
servers.
However,
splitof
tunneling
would in
effect
allow
servers
providing
access
to
the
Internet.
Proxy
servers
support
Safeguards
implemented
byindicative
organizations
tothe
prevent
include,
for example,
traffic
of denial
of
service
unauthorized
external
connections,
making
system
more
logging
individual
Transmission
Control
Protocol
(TCP)
sessions
unauthorized
exfiltration
of exfiltration
information
from
information
attacks
andtotraffic
containing
maliciousof
code.
vulnerable
attack
and
to
organizational
and
blocking
specific
Uniform Resource
Locators (URLs),
systems
include,
for example:
(i) remote
strict
adherence
tothat
protocol
This
control
enhancement
provides
determinations
source
information.
Theand
use
of VPNs
for
connections,
when
domain
names,
Internet
Protocol
(IP)
addresses.
Web
formats;
(ii)
monitoring
for
beaconing
from
information
and
destination
addresswith
pairs
represent
authorized/allowed
adequately
provisioned
appropriate
security controls,
proxies
can
configured
with
lists ofmay
systems;
(iii)be
monitoring
for
steganography;
(iv)
disconnecting
communications.
Such
determinations
can
be
based
onfor
provide
the
organization
with
sufficient
assurance
that
itseveral
can
Host-based
boundary
protection
mechanisms
include,
authorized
and
unauthorized
websites.
external
network
interfaces
except
when
explicitly
needed;
(v)
factors
including,
for
example,
the
presence
of
effectively
treat
such
connections
as
non-remote
connections
example,
host-based
firewalls. Information
systemand
components
disassembling
and
reassembling
packet
headers;
(vi)
source/destination
address
in lists
of authorized/allowed
from
the confidentiality
andpairs
integrity
perspective.
VPNs thus
employing
host-based
boundary
protection
mechanisms
Physically
separate
subnetworks
with
managed
interfaces
employing
traffic
profile
analysis
to
detect
deviations
from
the
communications,
the
absence
of
address
pairs
in
lists
of are
provide afor
means
for allowing
non-remote
communications
include,
example,
servers,
workstations,
and
mobile
useful,
for example,
in isolating
computer
network
defenses
volume/types
of traffic
expected
within
organizations
or call
unauthorized/disallowed
pairs,
meeting
more general
rules
paths
from
remote
devices.
Theor
use
of an
adequately
devices.
from
critical
operational
processing
networks
to
prevent
backs
to
command
and
control
centers.
Devices
enforcing
strict
for
authorized/allowed
source/destination
pairs.
provisioned
VPN does not
eliminate the need
for preventing
adversaries
from
discovering
the
analysis
and
forensics
adherence
to
protocol
formats
include,
for
example,
deep
split tunneling.
techniques
of organizations.
packet inspection
firewalls and XML gateways. These devices
verify adherence to protocol formats and specification at the
application layer and serve to identify vulnerabilities that
cannot be detected by devices operating at the network or
Information systems operating at different security categories

or classification levels may share common physical and
environmental controls, since the systems may share space
within organizational facilities. In practice, it is possible that
these separate information systems may share common
This
controlrooms,
enhancement
protectsand
network
equipment
wiring closets,
cable addresses
distributionofpaths.
information
system
components
that
are
part
of managed
Protection against unauthorized physical connections
can be
interfaces
from
discovery
through
common
tools
and formats
Information
components
that enforce
protocol
achieved, forsystem
example,
by employing
clearly identified
and
techniques
used
to
identify
devices
on
networks.
Network
include,
forseparated
example, cable
deep trays,
packetconnection
inspection frames,
firewallsand
andpatch
XML
physically
addresses
are
not
available
for discovery
(e.g.,
network
gateways.
Such
system
components
verify
adherence
to
panels
for
each
side
of
managed
interfaces
with
physical
Fail
secure
ispublished
a condition
employing
information
address
not
or achieved
entered
inbydomain
systems),
protocol
formats/specifications
(e.g.,
IEEE)
atname
theofapplication
access
controls
enforcing
limited
authorized
access
to these
system
mechanisms
to
ensure
that
in
the
event
operational
requiring
prior
knowledge
for
access.
Another
obfuscation
layer
and
identify
significant
vulnerabilities
that
cannot
be
items.
failures
of boundary
protection
devices
at managed
Communication
clients
independently
configured
by interfaces
end users
technique
is devices
to periodically
change
network
addresses.
detected
by
operating
at
the
network
or
transport
(e.g.,
routers,service
firewalls,
guards,include,
and application
gateways
and
external
providers
for example,
instant
layers.
residing
on clients.
protected
subnetworks
commonly
referred
to as
messaging
Traffic
blocking
does
not
apply
to
The
capabilityzones),
to dynamically
isolate
or segregate
certain
demilitarized
information
systems
do
not
enter
into to
communication
clients
are configured
by organizations
internal
components
ofthat
organizational
information
systems
is
unsecure
states
where
intended
security
properties
no
longer
perform
authorized
functions.
useful
when
it
is
necessary
to
partition
or
separate
certain
Organizations
can
isolate information
system cannot
components
hold. Failures of
boundary
protection devices
lead to, or
components
of
dubious
origin
from
those
components
performing
different
missions
business
functions.
Such
cause information
external
to and/or
the devices
to enter
the devices,
possessing
greater
trustworthiness.
Component
isolation
isolation
limits
unauthorized
information
flows
among
system
nor
can
failures
permit
unauthorized
information
releases.
Decomposition
of information
systems into subnets
helps to
reduces
the attack
surface
of organizational
information
components
and also
provides
the
opportunity
to deploy
provide
the
appropriate
level
of
protection
for
network
systems.
Isolation
of selected
system components
greater
levels
protection
forinformation
selected
components.
connections
toof
different
security
domains
containing
Disabling
feedback
to
senders
when
there
is successful
a failure
incyber
is
also
a
means
of
limiting
the
damage
from
Separating
system
components
with
boundary
protection
information
with
different
security
categories
or
classification
protocol
validation
prevents
from
obtaining
attacks
when
thoseformat
attacks
occur. adversaries
mechanisms
provides
the capability
for increased
protection
of
levels.
information
which
would
otherwise
be
unavailable.
This
control
applies to both
internal
and external
networks and
individual
components
and to
more effectively
control
all
types of information
system
components
from
which
information
flows between
those
components.
This
type of
information
can
be
transmitted
(e.g.,
servers,
mobile
devices,
enhanced
protection
limits
the
potential
harm
from
cyber
Encrypting information for transmission protects information
notebook
computers,
printers,
copiers,
scanners,
facsimile
attacks
and errors. disclosure
The degreeand
of separation
provided
varies
from unauthorized
modification.
Cryptographic
machines).
Communication
paths
outside
the
physical
depending
upon
the
mechanisms
chosen.
Boundary
protection
mechanisms
implemented
to protect information
integrity
Information
can
be either
unintentionally
orgateways,
maliciously
protection
ofexample,
a controlled
boundary
are
exposed
to the
mechanisms
include,
for
example,
routers,
andhave
include,
for
cryptographic
hash
functions
which
disclosed
or
modified
during
preparation
forProtecting
transmission
possibility
of
interception
and
modification.
the or
firewalls
separating
system
components
into
physically
common
application
in digital
signatures,
checksums,
and
during
reception
including,
for
example,
during
aggregation,
at
This
control
enhancement
addresses
protection
against
confidentiality
and/or
integrity
of
organizational
information
separate
networks
or subnetworks,
cross-domain
devices
message
authentication
codes.
Alternative
physical
security
protocol
transformation
points,
and
during
packing/unpacking.
unauthorized
disclosure
of
information.
Message
can
be accomplished
byexample,
physical
means
(e.g.,
byexternals
employing
separating
subnetworks,
virtualization
techniques,
and
safeguards
include,
for
distribution
These
unauthorized
disclosures
orprotected
modifications
compromise
include,
for
example,
message
headers/routing
information.
protected
distribution
systems)
or
by
logical
means
(e.g., using
encrypting
information
flows
among
system
components
This
control enhancement
addresses
protection against
systems.
the
confidentiality
or
integrity
of theOrganizations
information.
This
control
enhancement
prevents
the
exploitation
of message
employing
encryption
techniques).
relying
on
distinct
encryption
keys.
unauthorized disclosure of information. Communication
externals
and
applies
to
both
internal
and
external
networks
or
commercial
providers
offering
transmission
services
as
patterns include, for example, frequency, periods, amount, and
links
that
may
be
visible
to
individuals
who
are
not
authorized
commodity services
rather
than as fully dedicated
predictability.
Changes
to communications
patternsservices
can reveal
users.
Header/routing
information
is
sometimes
transmitted
(i.e.,
services
which
can
be
highly
specialized
to
individual
information having intelligence value especially when
This
control
applies
toavailable
both
internal
and
external
networks.
unencrypted
because
the
is obtain
notrelated
properly
identified
customer
needs),
may
findinformation
it
difficult
to
the
necessary
combined
with
other
information
to
Terminating
network
connections
associated
with
by
organizations
as
having
significant
value
or
because
assurances
regarding
the
implementation
of
needed
security
missions/business functions supported by organizational
communications
sessions
include,
for in
example,
de-allocating
encrypting
information
can by
result
lower
controls
for the
transmission
In suchinput
Trusted
paths
are
mechanisms
which
users network
(through
information
systems.
Thisconfidentiality/integrity.
control
enhancement
prevents
the
associated
TCP/IP
address/port
pairs
at
the
operating
system
performance
and/or
higher
costs.
Alternative
physical
situations,
organizations
determine
what
types
of
devices)
can
directly
with security functions
of
derivation
of communicate
intelligence based
on communications
patterns
level,
or de-allocating
networking
assignments
the
safeguards
include,
for
example,
protected
distribution
confidentiality/integrity
services
are
available
inatstandard,
information
systems
with
theand
requisite
assurance
to
and applies
to both internal
external
networks
orsupport
links that
application
level
multiple
application
sessions
are
using
systems.
commercial
telecommunication
service
packages.
Ifbe
itusers.
is a
information
security
policies.
The
mechanisms
can
activated
may be visible
toifindividuals
who
are not
authorized
single,
operating
system-level
network
connection.
Time
infeasible
or
impractical
to
obtain
the
necessary
security
only
by users
the and
security
functionsinofcontinuous,
organizational
Encrypting
theorlinks
transmitting
Cryptographic
key management
and
establishment
canare
be
periods
inactivity
may
be
established
organizations
and
controls of
and
assurances
of
control
effectiveness
information
systems.
User
responses
via by
trusted
paths
fixed/random
patterns
prevents
the
derivation
ofthrough
intelligence
performed
using
manual
procedures
or
automated
mechanisms
include,
example,
time
periods
by
type
of
network
access
or
appropriate
contracting
vehicles,
organizations
protected
from
modifications
by or
disclosure
toimplement
untrusted
from thefor
system
communications
patterns.
Alternative
physical
with
supporting
manual
procedures.
Organizations
define
key
for
specific
network
accesses.
appropriate
compensating
security
controls
or
explicitly
accept
Escrowing
encryption
keys
is a protected
common
ensuring
applications.
Organizations
employ
trusted practice
paths
forfor
highsafeguardsofinclude,
for example,
distribution
management
requirements
in accordance
with
applicable
the
additional
risk.eventbetween
availability
in the
of loss
ofsecurity
keys (e.g.,
due
toof
forgotten
assurance
connections
functions
systems.
federal
laws,systems
Executive
Orders,
directives,
regulations,
policies,
passphrase).
information
and
users (e.g.,
during
system logons).
standards,
and
guidance,
specifying
appropriate
options,
Enforcement of trusted communications paths is typically
levels,
and
Organizations
manage
stores to
provided
viaparameters.
an implementation
that meets
the trust
reference
ensure
that
only
approved
trust
anchors
are
in
such
trust
monitor concept.
stores. This includes certificates with visibility external to
organizational information systems and certificates related to
the internal operations of systems.
Cryptography can be employed to support a variety of security

solutions including, for example, the protection of classified
and Controlled Unclassified Information, the provision of digital
signatures, and the enforcement of information separation
when authorized individuals have the necessary clearances for
such information but lack the necessary formal access
approvals. Cryptography can also be used to support random
number generation and hash generation. Generally applicable
cryptographic standards include FIPS-validated cryptography
and NSA-approved cryptography. This control does not impose
any requirements on organizations to use cryptography.
However, if cryptography is required based on the selection of
other security controls, organizations define each type of
cryptographic use and the type of cryptography required (e.g.,
Collaborative
computing
devices include,
for example,
protection of classified
information:
NSA-approved
networked
white
boards,ofcameras,
and microphones.
Explicit
cryptography;
provision
digital signatures:
FIPS-validated
indication
of use includes, for example, signals to users when
cryptography).
collaborative computing devices are activated.
Failing to physically disconnect from collaborative computing

devices can result in subsequent compromises of
organizational information. Providing easy methods to
physically disconnect from such devices after a collaborative
computing session helps to ensure that participants actually
Failing
to the
disable
or remove
collaborative
computing
carry out
disconnect
activity
without having
to godevices
through
from
information
systems
or
information
system
components
complex and tedious procedures.
can
inenhancement
subsequent compromises
of organizational
This result
control
helps to prevent
unauthorized
information
including,
for
example,
eavesdropping
on
individuals from participating in collaborative computing
conversations.
sessions
without the
explicit
knowledge
of other associated
participants.
Security attributes
can
be explicitly
or implicitly
with
the information contained in organizational information
systems
or system
components.
This control
enhancement
ensures that the verification of the
integrity of transmitted information includes security attributes.
For all certificates, organizations manage information system
trust stores to ensure only approved trust anchors are in the
trust
stores.
This control
addresses both
certificates
Decisions
regarding
the employment
of mobile
code with
within
visibility
external
to
organizational
information
systems
and
organizational information systems are based on the potential
certificates
to damage
the internal
operations
systems, for
for the coderelated
to cause
to the
systems of
if used
example,
application-specific
time
services.
maliciously. Mobile code technologies include, for example,
Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies,
Flash animations, and VBScript. Usage restrictions and
implementation guidance apply to both the selection and use
of mobile code installed on servers and mobile code
downloaded and executed on individual workstations and
devices (e.g., smart phones). Mobile code policy and
procedures address preventing the development, acquisition,
or introduction of unacceptable mobile code within
organizational information systems.
Corrective actions when unacceptable mobile code is detected

include, for example, blocking, quarantine, or alerting
administrators. Blocking includes, for example, preventing
transmission of word processing files with embedded macros
when such macros have been defined to be unacceptable
mobile code.
Actions enforced before executing mobile code, include, for
example, prompting users prior to opening electronic mail
attachments. Preventing automatic execution of mobile code
includes, for example, disabling auto execute features on
information system components employing portable storage
devices such as Compact Disks (CDs), Digital Video Disks
(DVDs), and Universal Serial Bus (USB) devices.
This control enables external clients including, for example,

remote Internet clients, to obtain origin authentication and
integrity verification assurances for the host/service name to
network address resolution information obtained through the
service. Information systems that provide name and address
resolution services include, for example, domain name system
(DNS) servers. Additional artifacts include, for example, DNS
Security (DNSSEC) digital signatures and cryptographic keys.
DNS resource records are examples of authoritative data. The
means to indicate the security status of child zones includes,
for example, the use of delegation signer resource records in
the DNS. The DNS security controls reflect (and are referenced
Each
of name resolution
services
eithersystems
performs
thisuse
from) client
OMB Memorandum
08-23.
Information
that
validation
on
its
own,
or
has
authenticated
channels
to
trusted
technologies other than the DNS to map between host/service
validation
Information
systems
thatmeans
provide
names andproviders.
network addresses
provide
other
to name
assure
and
address
resolution
services
for
local
clients
include,
for
the authenticity and integrity of response data.
example, recursive resolving or caching domain name system
Information
systems
that provide
name
and
address
resolution
(DNS) servers.
DNS client
resolvers
either
perform
validation
of
services
include,
for
example,
domain
name
system
(DNS)
DNSSEC signatures, or clients use authenticated channels to
servers.
Toresolvers
eliminate
single
points
of failure
and toInformation
enhance
This
control
addresses
communications
protection
at
the
recursive
that
perform
such
validations.
redundancy,
organizations
employ
at
least
two
authoritative
session,
packet
level (e.g.,
sessions
in service-oriented
systems versus
that use
technologies
other
than the
DNS to map
domain
name
system names
servers,
onenetwork
configured
as establishes
the provide
primary
architectures
providing
web-based
services)
and
between
host/service
and
addresses
This
control
enhancement
curtails
the
ability
of adversaries
server
and
the
other
configured
as
the
secondary
server.
grounds
for confidence
at bothto
ends
of the
communications
other
means
to and
enable
clients
verify
authenticity
and
from
capturing
continuing
to
employ
previously
valid
Additionally,
organizations
typically
deploy
theand
servers
in two
sessions
in
ongoing
identities
of
other
parties
in
the
integrity
of
response
data.
session
IDs.
geographically
separated
network subnetworks
not
validity of information
transmitted.
Authenticity (i.e.,
protection
located
theexample,
same physical
facility).
For man-in-the-middle
role separation, DNS
includes,infor
protecting
against
servers
with
internal
roles
only
process
name
and
address
This
control enhancement
curtails
the ability
adversaries
attacks/session
hijacking and
the insertion
of of
false
information
resolution
requests
from
within
organizations
(i.e.,
from
from
reusing previously valid session IDs. Employing
theinternal
into sessions.
clients).
DNS
servers
with
external
roles
only
process
name and
concept of randomness in the generation of unique session
address
resolution
information
requests
from
clients
external
to
identifiers helps to protect against brute-force attacks to
organizations
(i.e.,session
on external
networks including the Internet).
determine future
identifiers.
Organizations specify clients that can access authoritative DNS
servers in particular roles (e.g., by address ranges, explicit
lists).
Reliance on certificate authorities (CAs) for the establishment

of secure sessions includes, for example, the use of Secure
Socket
Layer
(SSL)state
and/or
Transportsecurity
Layer Security
(TLS)
Failure in
a known
addresses
concerns
in
certificates.
These
certificates,
after
verification
by
the
accordance with the mission/business needs of organizations.
respective
authorities,
facilitate
the establishment
Failure
in a certificate
known
state helps
tocomponents
prevent
the with
loss of of
The
deployment
ofsecure
information
system
protected
sessions
between
web
clients
and
web
servers.
confidentiality,
integrity,
or availability
of information
inthin
the
reduced/minimal
functionality
(e.g., diskless
nodes and
event
of
failures
of
organizational
information
systems
or
client
technologies)
the to
need
to secure
every user
A
honeypot
is set upreduces
as
a decoy
attract
adversaries
and
system
components.
Failure
in
a
known
safe
state
helps
to to
endpoint,
and
may
reduce
the
exposure
of
information,
deflect
their
attacks
away
from
operational
prevent
systems
from
failing
to the
a state
that attacks.
maysystems
cause injury to
information
systems,
and
services
to cyber
supporting
organizational
missions/business
function.
individuals or destruction to property. Preserving
information
Depending
upon
the specific
usage of
the honeypot,
system state
information
facilitates
system
restart and return
consultation
with the
Office
of the General
Counsel
before
to
the operational
mode
of organizations
with
less disruption
Platforms
aremay
combinations
of hardware and
software
used toof
deployment
be
needed.
mission/business
processes.
run software applications.
Platforms include: (i) operating
systems;
(ii)addresses
the underlying
computer architectures,
or of
(iii)
This control
the confidentiality
and integrity
both.
Platform-independent
applications
are
applications
that
information at rest and covers user information and system
run
on
multiple
platforms.
Such
applications
promote
information.
Information atmechanisms
rest refers toisthe
state
Selection
ofand
cryptographic
based
onofthe
need to
portability
reconstitution
on
different
platforms,
increasing
information
when
it
is
located
on
storage
devices
as
specific
protect
the confidentiality
and integrity
oforganizations
organizationalwhile
the
availability
critical functions
within
components
of of
information
systems.
System-related
information.
The
strength
of
mechanism
is
commensurate
with
Removing
organizational
information
fromfor
online
information
information
systems
with
specificincludes,
operating
systems
are under
information
requiring
protection
example,
the
security
category
and/or
classification
of
the
information.
system
storageortorule
off-line
eliminates
the possibility
attack.
configurations
sets storage
for firewalls,
gateways,
intrusion of
This
controlgaining
enhancement
applies
to significant
concentrations
individuals
unauthorized
access
to
the
information
Increasing
the diversity
of information
within
detection/prevention
systems,
filtering
routers,
andfor
of
digitalamedia
in organizational
areastechnologies
designated
media
through
network.
Therefore,
organizations
may
choose
organizational
information
systems
reduces
the
impact
ofto
authenticator
content.
Organizations
may
employ
different
storage
and
also
to
limited
quantities
of
media
generally
move
information
to off-line
storage
in and
lieu of
protecting
such
potential
exploitations
ofconfidentiality
technologies
and
also
mechanisms
to changes
achieve
integrity
While
frequent
tospecific
operating
systems
and
associated
with
information
system
components
inapplications
operational
information
in
online
storage.
defends
against
common
including
those
protections,
including
the mode
usestorage
offailures,
cryptographic
mechanisms
pose
configuration
management
challenges,
the
changes
can
environments
(e.g.,
portable
devices,
mobile
devices).
failures
induced
by
supply
chain
attacks.
Diversity
in
and
file
share
scanning.
Integrity
protection
can
be
achieved,
result
in
an
increased
work
factor
for
adversaries
in
order
to
Organizations
have
the
flexibility
to
either
encrypt
all
Concealment
and
misdirection
techniques
can significantly
information
technologies
also
reduces
the
likelihood
that
the
for
example,
by
implementing
Write-Once-Read-Many
(WORM)
carry
out
successful
cyber
attacks.
Changing
virtual
operating
information
on
storage
devices
(i.e.,
full
disk
encryption)
or
reduce
the
targeting
capability
of
adversaries
(i.e.,
window
of
means
adversaries
use
toascompromise
one
information
system
technologies.
Organizations
may(e.g.,
alsotofiles,
employ
other
security
systems
or applications,
opposed
changing
actual
encrypt
specific
data
structures
records,
or
fields).
opportunity
and
available
attack
surface)
to
initiate
and
component
willemploying
be for
equally
effective
against
other
system
controls
including,
example,
secure
off-line
storage
lieu of
operating
systems/applications,
provide
virtual
changes
that
Organizations
cryptographic
mechanisms
toin
protect
complete
cyber
attacks.
For
example,
virtualization
techniques
components,
thus
further
increasing
the
adversary
work
factor
online
storage
when
adequate
protection
of
information
at
rest
impede
attacker
success
while
reducing
configuration
information
at rest
also
consider
cryptographic
key
provide
organizations
with
the and/or
ability
to
disguise
information
to
successfully
complete
planned
cyber
attacks.
An
increase
in
cannot
otherwise
be
achieved
continuous
monitoring
to
Randomness
introduces
increased
levels of uncertainty
for can
management
efforts.
In addition,
virtualization
techniques
solutions.
systems,
potentially
reducing
the
likelihood
of
successful
diversity
may
add code
complexity
and
management
overhead
identify
malicious
at rest.
adversaries
regarding
organizations
take
inIncreased
assist
organizations
in the
isolating
untrustworthy
software
and/or
attacks
without
the cost
ofactions
having
multiple
platforms.
which
could
ultimately
lead
to
mistakes
and
unauthorized
defending
against
cyber
attacks.
Such
actions
may
impede
software
of
dubious
provenance
into
confined
execution
Adversaries
target critical organizational
missions/business
use
of concealment/misdirection
techniques
including, for the
configurations.
ability
of
adversaries
to
correctly
target
information
resources
environments.
functions
the information
resources
supporting those
example, and
randomness,
uncertainty,
and virtualization,
may
of
organizations
supporting
critical
missions/business
functions.
missions
and
functions
while
at
the
same
time,
trying
to
sufficiently
confuse
and
mislead
adversaries
and
subsequently
This
control enhancement
misleads
potential
adversaries
Uncertainty
may
also
cause
adversaries
totradecraft.
hesitate
before
minimize
exposure
of
their
existence
and
The static,
increase
the
risk
of
discovery
and/or
exposing
tradecraft.
regarding
the
nature
and
extent
of
security
safeguards
initiating
or
continuing
attacks.
Misdirection
techniques
homogeneous,
and deterministic
nature
of organizational
Concealment/misdirection
techniques
may
also provide
deployed
by
organizations.
As afor
result,
adversaries
may certain
By
hiding,randomness
disguising,
or
otherwise
concealing
critical
involving
include,
example,
performing
information
systems
targeted
by
adversaries,
make
such
organizations
additional
time
to
successfully
perform
core
employ
incorrect
(and
as
a
result
ineffective)
attack
information
system
components,
organizations
may
be
able to
routine
actions
at different
times
of
day, employing
different
systems
more
susceptible
to
cyber
attacks
with
less
adversary
missions
and
business
functions.
Because
of
the
time
techniques.
One
way of misleading
adversaries
is
for and effort
decrease
the
probability
that
adversaries
target
and
information
technologies
(e.g.,
browsers,
search
engines),
Developers
are
inplace
the
best
position
to identify
potential areas
cost
and to
effort
to
be
successful.
Changing
organizational
required
support
concealment/misdirection
techniques,
it is
organizations
tosuppliers,
misleading
information
regarding
the
successfully
compromise
those
assets.
Potential
means
for
using
different
and
rotating
roles
and
responsibilities
within
systems
might
lead towould
covert
channels.
processing
and
storage
locations
(sometimes
referred
to as
anticipated
thatthat
such
techniques
be
used
by Covert
specific
security
controls
deployed
ininformation
external
information
organizations
to
hide
and/or
conceal
system
of
organizational
personnel.
channel
analysis
is
a
meaningful
activity
when
there
is
moving
target
defense)
addresses
the
advanced
persistent
organizations
on
a
very
limited
basis.
systems
thatinclude,
are known
be accessed
or targeted
by the or
components
for to
example,
configuration
of routers
potential
for
unauthorized
information
flows
across
security
threat
(APT)
using
techniques
such
as
virtualization,
distributed
adversaries.
Another technique
is the techniques.
use of deception
nets
the
use offor
honeynets
orinvirtualization
domains,
example,
the
case
of
information
systems
processing,
and
replication.
This
enables
organizations
to
(e.g., honeynets, virtualized environments) that mimic actual
containing
export-controlled
information
and having
relocate
the
information resources
(i.e.,
processing
and/or
aspects of
organizational
information
systems
but use,
for
connections
to external
networks
(i.e.,
networks
not
controlled
storage)
critical
missions
and
business
functions.
example,supporting
out-of-date
software
configurations.
by
organizations).
channelactivities
analysis is
also meaningful
Changing
locationsCovert
of processing
and/or
storage sites
for
multilevel
secure (MLS)
systems,
multiple
introduces
uncertainty
into information
the targeting
activities
by
security
level
(MSL)
systems,
and
cross-domain
systems.
adversaries.
This
uncertainty
increases
the
work
factor
of
Information system developers are in the best position to
adversaries
making compromises
or identified
breaches to
organizational
reduce the maximum
bandwidth for
covert
storage
information
systems
much
more
difficult
and
time-consuming,
and timing channels.
and increases the chances that adversaries may inadvertently
disclose aspects of tradecraft while attempting to locate critical
organizational resources.
This control enhancement addresses covert channel bandwidth

in operational environments versus developmental
environments.
Measuring
covertischannel
bandwidth
in
Information system
partitioning
a part of
a defense-in-depth
operational
environments
helps organizations
to determine
protection strategy.
Organizations
determine the
degree of
how
much
information
can
be
covertly
leaked
before
such
physical separation of system components from physically
leakage
adversely
affects
organizational
missions/business
distinct components in separate racks in the same room, to
functions.
Covert
channelrooms
bandwidth
becritical
significantly
components
in separate
for themay
more
The
term
operating
environment
is
defined
as
the
code
different
when
measured
in
those
settings
that
arespecificof
components, to more significant geographical separation
the
that
hosts
applications,
for
example,
operating
systems,
independent
of
the
particular
environments
of
operation
(e.g.,
most critical components. Security categorization can guide the
executives,
including
virtual
machine
monitors (i.e.,
laboratories
ormonitors
development
environments).
selection of or
appropriate
candidates
for domain
partitioning.
hypervisors).
It
can
also
include
certain
applications
running
Managed interfaces restrict or prohibit network access
and
directly
on
hardware
platforms.
Hardware-enforced,
read-only
information flow among partitioned information system
media
include, for example, Compact Disk-Recordable (CDcomponents.
R)/Digital Video Disk-Recordable (DVD-R) disk drives and oneThis
enhancement:
(i) eliminates
theuse
possibility
time control
programmable
read-only
memory. The
of non- of
malicious
insertion
viathe
persistent,
storage
within
modifiablecode
storage
ensures
integritywriteable
of software
from the
the
designated
information
system
components;
and
(ii)
point
of
creation
of
the
read-only
image.
The
use
of
Security safeguards prevent the substitution of media into
applies
to both
fixed
and
removable
storage,
theas
latter
reprogrammable
read-only
memory
can
be accepted
readinformation
systems
or
the
reprogramming
ofwith
programmable
being
addressed
directly
or
as
specific
restrictions
imposed
only
media
provided:
(i)
integrity
can
be
adequately
protected
read-only media prior to installation into the systems. Security
through
controls
for mobile
devices.
from
theaccess
point
of
initial
writing
to athe
insertion ofofthe
memory
safeguards
include,
for example,
combination
prevention,
into
the
information
system;
and
(ii)
there
are
reliable
hardware
detection, and response.
protections against reprogramming the memory while installed
in organizational information systems.
Honeyclients differ from honeypots in that the components

actively probe the Internet in search of malicious code (e.g.,
worms)
contained
on external
websites.
As multiple
with honeypots,
Distributing
processing
and storage
across
physical
honeyclients
require
some
supporting
isolation
measures
locations provides some degree of redundancy or
overlap (e.g.,
for
virtualization)
to
ensure
that increases
any malicious
codefactor
discovered
organizations,
and
therefore
the
work
of
Distributed
processing
and/or storage
may be does
employed
to
during
the search
and subsequently
executed
not infect
adversaries
to
adversely
impact
organizational
operations,
reduce
opportunities
for adversaries
to successfully
organizational
information
systems.
assets,
and individuals.
This
control
does not
assume a single
compromise
the
confidentiality,
integrity,
orlocal
availability
of
Out-of-band
channels
include,
for
example,
(nonnetwork)
primary
processing
or
storage
location,
and
thus
allows for of
information
and
information
systems.
However,
distribution
accesses
to information
systems, network paths physically
parallel
processing
and storage.
processing
and/or
storage
components
does not prevent
separate
from
network
paths
used for operational
traffic,
Techniques
and/or
methods employed
by
organizations
toor
adversaries
from
compromising
one
(or
more)
of the
distributed
nonelectronic
paths
such
as
the
US
Postal
Service.
This
is
in
ensure
that only
designated
information
systems
or individuals
components.
Polling
compares
the
processing
results
and/or
contrast
with usinginformation,
the same channels
(i.e., in-band or
channels)
receive
particular
system
components,
Operations
security
(OPSEC)
istraffic.
a systematic
process
bydevices
which
storage
content
from
the various
distributed
components
and
that
carry
routine
operational
Out-of-band
channels
do
include,
for
example,
sending
authenticators
via
courier
service
potential
adversaries
can
be
denied
information
about
the
subsequently
voting
on
the
outcomes.
Polling
identifies
not
have
the
same
vulnerability/exposure
as
in-band
channels,
but
requiring
recipients
to compromises
show
some form
of governmentcapabilities
and
intentions
of organizations
by
identifying,
potential
faults,
errors,
or
in
Information
systems
can
maintain
separate
execution
domains
and
hence
the
confidentiality,
integrity,
or distributed
availability
issued
photographic
identification
as
a
condition
of
receipt.
controlling,
and
protecting
generally
unclassified
information
processing
and/or
storage
components.
for
each executing
process
by assigning
process athe outcompromises
of in-band
channels
will noteach
compromise
that
specifically
relates
toEach
the planning
andsystem
execution
of has
separate
address
space.
information
process
of-band
channels.
Organizations
may
employ
out-of-band
Hardware-based
separation
of information
system
processes
is
sensitive
organizational
activities.
The
OPSEC
process
involves
a
distinct in
address
space or
soto
that
communication
between
channels
thesusceptible
delivery
transmission
ofthan
many
organizational
generally
less
compromise
software-based
five
steps:
(i)performed
identification
of
criticalcontrolled
information
(e.g., the
processes
is
in agreater
manner
through
items
including,
example,
identifiers/authenticators,
separation,
thus for
providing
assurance
that
the the
security
categorization
process);
(ii)
analysis
of
threats;
security
functions,
and
one
process
cannot
modify
the (iii) or
configuration
management
changes
for
hardware,
firmware,
separation
will
be
enforced.
Underlying
hardware
separation
analysis
ofcryptographic
vulnerabilities;
(iv)
assessment
of risks;
andsecurity
(v) the
executing
code
of another
process.
Maintaining
separate
software,
management
information,
mechanisms
include,
forkey
example,
hardware
memory
application
of
appropriate
countermeasures.
OPSEC
safeguards
This
control
applies for
to backups,
internal
and
external can
wireless
execution
domains
executing
processes
be achieved,
updates,
system/data
maintenance
information,
and
management.
are
applied
toby
both
organizational
information
systems
and
the
communication
links
that may
be visible
to individuals
who
are
for
example,
implementing
separate
address
spaces.
This
malicious
code
protection
updates.
environments
in
which
those
systems
operate.
OPSEC
not
authorized
information
system
users.
can
capability
is enhancement
available
in most
commercial
operating
systems
This
control
protects
againstAdversaries
intentional
jamming
safeguards
help
to
protect
the
confidentiality
of
key
information
exploit
the
signal
parameters
of
wireless
links
if
such
links
are
that
employ
multi-state
processor
technologies.
that
mightfor
deny
or impair
communications
by
ensuring that
including,
example,
limiting
the
sharing
of
information
with
not
adequately
protected.
There are many
to exploit
the
wireless
spread
spectrum
waveforms
used ways
to provide
anti-jam
suppliers
and potential
suppliers
ofto
information
system
signal
parameters
of
wireless
links
gain
intelligence,
deny
protection
are not predictable
by unauthorized
individuals.
components,
technology
products
and
services,The
service,
or to information
spoof users
ofalso
organizational
information
control
enhancement
may
coincidentally
help
to
mitigate
and
with other
non-organizational
elements
and individuals.
systems.
This
control
reduces
the impact
of interference
attacks
that are
the
effects
of
unintentional
jamming
due
to
from
Information
criticalsystems.
to mission/business
success
includes,
for
unique
to
wireless
If
organizations
rely
on
commercial
legitimate
transmitters
sharing
theuses,
samesuppliers,
spectrum.
Mission
example,
user
identities,
element
supply
chain
service
providers
for transmission
services
commodity
items
requirements,
projected
concept
ofas
operations,
processes, functional
andthreats,
security
requirements,
systemand
design
This control enhancement is needed for covert communications

and protecting wireless transmitters from being geo-located by
their
transmissions.
The control
enhancement
ensures
that
This control
enhancement
ensures
that the signal
parameters
spread
spectrum
waveforms
to achieve by
lowunauthorized
probability of
of wireless
transmissions
are used
not predictable
detection
are
not
predictable
by
unauthorized
individuals.
individuals.
Such unpredictability
reduces the
probability
of
Radio
fingerprinting
techniques
identify
unique
Mission
requirements,
projected
threats,the
concept
of signal
operations,
imitative
or
manipulative
communications
deception
based
parameters
of transmitters
to fingerprint
such transmitters
and
applicable
legislation,
directives,
regulations,
policies, for
upon
signal
parameters
alone.
purposes
of
tracking
and
mission/user
identification.
This
Connection
ports
include, for
example,
Universal
Bus
standards, and
guidelines
determine
the
levels toSerial
which
control
enhancement
protects
against
the
unique
identification
(USB)
and
Firewire
(IEEE
1394). Input/output (I/O) devices
wireless
links
should
be undetectable.
of
wireless
transmitters
for purposes
of intelligence
exploitation
include,
for
example,
Compact
Disk
(CD)
and Digital
Videoor
Disk
This
control often
applies to types
ofalterations
information
systems
by
ensuring
that
anti-fingerprinting
to
signal
(DVD)
drives.
Physically
disabling
or
removing
such
connection
system
components
characterized
as mobile devices,
for
parameters
not predictable
by unauthorized
individuals.
ports
and smart
I/Oare
devices
helps
prevent
exfiltration
of
information
example,
phones,
tablets,
and
E-readers.
These
systems
This
control
enhancement
helps
assure
missionof
success
when
from
information
systems
and
the
introduction
malicious
often
include
sensors
that
can
collect
and
record
data
anonymity
is required.
code
into systems
from those
ports/devices.
regarding
the environment
where
the system is in use. Sensors
that are embedded within mobile devices include, for example,
cameras, microphones, Global Positioning System (GPS)
In
situations where
sensors are activated
by authorized
mechanisms,
and accelerometers.
While the
sensors on
individuals
(e.g., provide
end users),
it is still possible
that
the
mobiles devices
an important
function,
if activated
data/information
collected
by
the
sensors
will
be
sent
tofor
covertly,
such
devices
can
potentially
provide
a
means
Information collected by sensors for a specific authorized
unauthorized
entities.
adversaries
to
learn
valuable
information
about
individuals
and
purpose potentially could be misused for some unauthorized
organizations.
For
example,
remotely
activating
the
GPS
purpose.
For example, GPS sensors
that are
used to from
support
For
example,
may
prohibit
individuals
function
on a organizations
mobile
device
could
provide
anmovements
adversary with
traffic
navigation
could
be
misused
to
track
of or
bringing
cell
phones
orspecific
digital cameras
into of
certain
facilities
the
ability
to
track
the
movements
an
individual.
individuals.
Measures towithin
mitigate
such activities
include, for
specific
controlled
facilities
where
classified
Information
systemareas
components
include
hardware,
software,
example,
additional
training
to
ensure
that
authorized
partiesor
information
is stored or(e.g.,
sensitive
conversations
are
taking
firmware
components
Voice
Over
Internet
Protocol,
do
not abuse their authority, or (in the case where sensor
place.
mobile
code, digital
copiers, printers,
scanners,
optical
devices,
data/information
is maintained
by external
parties)
contractual
wireless
technologies,
mobile
devices).
restrictions on the use of the data/information.
Detonation chambers, also known as dynamic execution

environments, allow organizations to open email attachments,
execute
untrusted
or suspicious
applications,
and execute
This control
addresses
the establishment
of policy
and
Universal
Resource
Locator
(URL)
requests
in
the
safety of an
isolated
or virtualized
sandbox.in
These
security environment
controls and control
enhancements
the SIprotected
family.
and
isolated
execution
environments
provide
a
of
Policy and procedures reflect applicable federal means
laws, Executive
determining
whether
the associated
attachments/applications
Orders, directives,
regulations,
policies,
standards, and
contain
malicious
code.
While
related
to the
concept at
of the
guidance. Security program policies and
procedures
deception
nets,
the
control
is
not
intended
to
maintain
a longorganization level may make the need for system-specific
term
environment
in
which
adversaries
can
operate
and
policies and procedures unnecessary. The policy can be their
actions
Rather,
it is intended
to quickly
includedcan
as be
partobserved.
of the general
information
security
policy for
identify
malicious
code
and
reduce
the
likelihood
that
the code
organizations or conversely, can be represented by
multiple
is
propagated
to
user
environments
of
operation
(or
prevent
such
propagation
completely).
The procedures
can
be established for the security program in
Organizations identify information systems affected by
announced software flaws including potential vulnerabilities
resulting from those flaws, and report this information to
designated organizational personnel with information security
responsibilities. Security-relevant software updates include, for
example, patches, service packs, hot fixes, and anti-virus
signatures. Organizations also address flaws discovered during
security assessments, continuous monitoring, incident
Central management is the organization-wide management

and implementation of flaw remediation processes. Central
management includes planning, implementing, assessing,
authorizing, and monitoring the organization-defined, centrally
managed flaw remediation security controls.
This control enhancement requires organizations to determine
the current time it takes on the average to correct information
system flaws after such flaws have been identified, and
subsequently establish organizational benchmarks (i.e., time
frames) for taking corrective actions. Benchmarks can be
established by type of flaw and/or severity of the potential
vulnerability if the flaw can be exploited.
Due to information system integrity and availability concerns,

organizations give careful consideration to the methodology
used
to carry
out automatic
Organizations
must that
Previous
versions
of softwareupdates.
and/or firmware
components
balance
the
need
to
ensure
that
the
updates
are
installed
as
are not removed from the information system after updates
soon
as
possible
with
thebe
need
to maintain
configuration
have
been
installed
may
exploited
by adversaries.
Some
Information
system
entry
and
exit points
include, for
example,
management
and
with
any
mission
or
operational
impacts
that
information
technology
products
may
remove
older
versions
firewalls,
electronic
mail servers,
web servers, proxy servers, of
automatic
updates
might
impose.
software
and/orservers,
firmware
automatically
from thecomputers,
informationand
remote-access
workstations,
notebook
system.
mobile devices. Malicious code includes, for example, viruses,
worms, Trojan horses, and spyware. Malicious code can also be
encoded in various formats (e.g., UUENCODE, Unicode),
contained within compressed or hidden files, or hidden in files
using steganography. Malicious code can be transported by
different means including, for example, web accesses,
electronic mail, electronic mail attachments, and portable
storage devices. Malicious code insertions occur through the
exploitation of information system vulnerabilities. Malicious
code protection mechanisms include, for example, anti-virus
signature definitions and reputation-based technologies. A
variety of technologies and methods exist to limit or eliminate
the effects of malicious code. Pervasive configuration
management
and comprehensive
software integrity
controls
Central management
is the organization-wide
management
may
be effective in preventing
execution
of unauthorized
code.
and implementation
of malicious
code protection
mechanisms.
In
addition
to
commercial
off-the-shelf
software,
malicious
code
Central
management
includes
planning,include,
implementing,
Malicious
code
protection
mechanisms
for could
example,
may
also
be
present
in
custom-built
software.
This
assessing,
authorizing,
and monitoring
the
organizationsignature
definitions.
Due
information
system
integrity
and
include,
for
example,
logicto
bombs,
back doors,
and
other types
defined,
centrally
managed
flaw
malicious
code
protection
availability
concerns,
organizations
give
careful
consideration
of cyber controls.
attacks that could affect organizational
security
to
the methodology
used to carry
out automatic
missions/business
functions.
Traditional
maliciousupdates.
code
protection mechanisms cannot always detect such code. In
these situations, organizations rely instead on other safeguards
including, for example, secure coding practices, configuration
management and control, trusted procurement processes, and
monitoring practices to help ensure that software does not
perform functions other than the functions intended.
This control enhancement may be appropriate for situations

where for reasons of security or operational continuity, updates
are only applied when selected/approved by designated
organizational personnel.
Nonsignature-based detection mechanisms include, for

example, the use of heuristics to detect, analyze, and describe
the
or behavior
of malicious
code
to provide
Thischaracteristics
control enhancement
can also
be applied
to and
critical
safeguards
against
malicious
code
for
which
signatures
interfaces other than kernel-based interfaces, including do
for not
yet
exist
or
for
which
existing
signatures
may
not
be
effective.
example,
interfaces with virtual
machines
and
privileged
This
control
protects
against
unauthorized
This
includesenhancement
polymorphic malicious
code
(i.e.,
code that
applications.
Unauthorized
operating
system
commands
commands
and
replay
of
authorized
commands.
This capability
changes
signatures
when
it replicates).
Thisfunctions
control
include,
for
example,
commands
for kernel
from loss,
is
important
for
those
remote
information
systems
whose
The
application
of selected
malicious
code
analysis
tools
and
enhancement
does
not
preclude
the
use
oftrusted
signature-based
information
system
processes
that
are
not
to
malfunction,
misdirection,
or exploitation
wouldin-depth
have initiate
techniques
provides
organizations
with
a
more
detection
mechanisms.
such
commands,
or
commands
for kernel(e.g.,
functions
that
are
immediate
and/or
serious
consequences
injurytechniques,
or death,
understanding
ofthough
adversary
tradecraft
(i.e.,type
tactics,
suspicious
even
commands
of
that
are
reasonable
property
damage,
loss
of functionality
high-valued assets
or sensitive
and
procedures)
and
the
and
purpose
of specific
for
processes
to
initiate.
Organizations
can
define
the
malicious
information,
or
failure
of
important
missions/business
instances
oftomalicious
code.
Understanding
the
characteristics
commands
be
detected
by
a
combination
of
command
functions).
Authentication
safeguards
for remote
commands
of
malicious
codeclasses,
facilitates
effective
organizational
types,
command
or more
specific
instances
ofand
commands.
help
to
ensure
that
information
systems
accept
execute
responses
to current
and hardware
future threats.
Organizations
can in
Organizations
can define
components
by specific
the
order
intended,
only
authorized
commands,
and
that
Information
system
monitoring
includes
and
internal
conduct
malicious
code
analyses
by using
reverse
engineering
component,
component
type,
location
inexternal
the
network,
or
unauthorized
commands
are
rejected.
Cryptographic
monitoring.
External
monitoring
the
observation
of
techniques
or
by monitoring
the includes
behavior
of executing
code.
combination
therein.
Organizations
may
select
different
actions
mechanisms
can at
bethe
employed,
for example,
to authenticate
events
occurring
information
system
boundary
(i.e.,
for
different
types/classes/specific instances of potentially part
remote
commands.
of
perimeter
defense and boundary protection). Internal
malicious commands.
monitoring includes the observation of events occurring within
the information system. Organizations can monitor information
systems, for example, by observing audit activities in real time
or by observing other system aspects such as access patterns,
characteristics of access, and other actions. The monitoring
objectives may guide determination of the events. Information
system monitoring capability is achieved through a variety of
tools and techniques (e.g., intrusion detection systems,
intrusion prevention systems, malicious code protection
software, scanning tools, audit record monitoring software,
network monitoring software). Strategic locations for
monitoring devices include, for example, selected perimeter
locations and near server farms supporting critical applications,
with such devices typically being employed at the managed
interfaces associated with controls SC-7 and AC-17. Einstein
network monitoring devices from the Department of Homeland
Security can also be included as monitoring devices. The
granularity of monitoring information collected is based on
organizational monitoring objectives and the capability of
information systems to support such objectives. Specific types
of transactions of interest include, for example, Hyper Text
Transfer Protocol (HTTP) traffic that bypasses HTTP proxies.
Information system monitoring is an integral part of
organizational continuous monitoring and incident response
programs. Output from system monitoring serves as input to
continuous monitoring and incident response programs. A
network connection is any connection with a device that
Automated tools include, for example, host-based, networkbased, transport-based, or storage-based event monitoring
tools or Security Information and Event Management (SIEM)
technologies that provide real time analysis of alerts and/or
notifications generated by organizational information systems.
Unusual/unauthorized activities or conditions related to
information system inbound and outbound communications
traffic
include,
for example,
internal
traffic
that indicates
the
Alerts may
be generated
from
a variety
of sources,
including,
presence
of
malicious
code
within
organizational
information
for example, audit records or inputs from malicious code
systems
ormechanisms,
propagating among
system
components,
the
protection
intrusion
detection
or prevention
unauthorized
exporting
of
information,
or
signaling
to
external
mechanisms, or boundary protection devices such as firewalls,
information
systems.
Evidence
of
malicious
code
is
used
to
gateways, and routers. Alerts can be transmitted, for example,
Least-disruptive
actions
may
include,
for
example,
initiating
identify
potentially
compromised
information
systems
or
telephonically, by electronic mail messages, or by text
requests
for Organizational
human components.
responses.
information
system
messaging.
personnel on the notification list can
include, for example, system administrators, mission/business
owners, system owners, or information system security officers.
Testing intrusion-monitoring tools is necessary to ensure that
the tools are operating correctly and continue to meet the
monitoring
objectives
organizations.
The frequency
Organizations
balanceof
the
potentially conflicting
needsoffor
testing
depends
on
the
types
of
tools
used
by
organizations
encrypting communications traffic and for having insight into
and
methods
of deployment.
such
trafficwithin
from
aorganizational
monitoring perspective.
some include,
Anomalies
informationFor
systems
organizations,
the
need
to
ensure
the
confidentiality
for example, large file transfers, long-time persistent of
communications
traffic
is paramount;
for others,
missionconnections,
unusual
protocols
andon
ports
use, and
attempted
This
controlisenhancement
focuses
the in
security
alerts
assurance
of
greater
concern.
Organizations
determine
communications
with
suspected
malicious
external
addresses.
generated
byvisibility
organizations
and transmitted
automated
whether the
requirement
applies to using
internal
encrypted
means.
In
contrast
to
the
alerts
generated
by
information
traffic, encrypted traffic intended for external destinations, or a
systems
SI-4
(5), which
subset ofinthe
traffic
types.tend to focus on information sources
internal to the systems (e.g., audit records), the sources of
information for this enhancement can include other entities as
well (e.g., suspicious activity reports, reports on potential
insider threats).
Wireless signals may radiate beyond the confines of

organization-controlled facilities. Organizations proactively
search for unauthorized wireless connections including the
conduct of thorough scans for unauthorized wireless access
points. Scans are not limited to those areas within facilities
Correlating
information systems,
from different
monitoring
tools can
containing information
but also
include areas
outside
provide
a
more
comprehensive
view
of
information
system
of facilities as needed, to verify that unauthorized wireless
activity.
The enhancement
correlation
of monitoring
tools
that usually
work in
This
control
correlates
monitoring
information
access
points
are not connected
to the
systems.
isolation
(e.g.,
host
monitoring,
network
monitoring,
anti-virus
from a more diverse set of information sources to achieve
software)
can
provide awareness.
an organization-wide
view
and in so
integrated
situational
situational
Covert
means
thatotherwise
can be used
forIntegrated
the
unauthorized
exfiltration
doing,
may
reveal
unseen
attack
patterns.
awareness
from
a
combination
of
physical,
cyber,
and
supply
of
organizational
information
include, for example,
Understanding
the
capabilities/limitations
of
diverse
monitoring
chain
monitoring activities enhances the capability of
steganography.
tools
and how to
to more
maximize
thedetect
utility sophisticated
of informationcyber
generated
organizations
quickly
by
those
tools
can
help
organizations
to
build,
operate,
and
attacks and investigate the methods and techniques employed
maintain
effective
monitoring
programs.
to carry out such attacks. In contrast to SI-4 (16) which
correlates the various cyber monitoring information, this
control enhancement correlates monitoring beyond just the
Indications of increased risk from individuals can be obtained

from a variety of sources including, for example, human
resource records, intelligence agencies, law enforcement
organizations, and/or other credible sources. The monitoring of
individuals is closely coordinated with management, legal,
security, and human resources officials within organizations
conducting such monitoring and complies with federal
Unauthorized
or unapproved
include,
for
legislation, Executive
Orders, network
policies,services
directives,
regulations,
example,
services in service-oriented architectures that lack
and standards.
organizational
verification
or validation
and therefore
may be
Information system
components
where host-based
monitoring
unreliable
or
serve
as
malicious
rogues
for
valid
services.
can be implemented include, for example, servers,
workstations,
and mobile devices.
consider
Indicators of compromise
(IOC) areOrganizations
forensic artifacts
from
employing
host-based
monitoring
mechanisms
from
multiple
intrusions that are identified on organizational information
information
technology
product developers.
systems
(atStates
the host
or network
level). IOCs
provideTeam (USThe United
Computer
Emergency
Readiness
organizations
with
valuable
information
on
objects
or
CERT) generates security alerts and advisories to maintain
information
systems
that
have
been
compromised.
IOCs
for the
situational awareness across the federal government.
Security
discovery
of
compromised
hosts
can
include
for
example,
the
directives are issued by OMB or other designated organizations
creation
registry keyand
values.
IOCs for
network
traffic
include,
with the of
responsibility
authority
to issue
such
directives.
for
example,
Universal
Resource
Locator
(URL)
or
protocol
Compliance to security directives is essential due to the critical
elements
that indicate
command
control
servers.
nature of many
of thesemalware
directives
and the and
potential
immediate
The
rapid
distribution
and
adoption
of
IOCs
can
improve
adverse effects on organizational operations and assets,
information
security
by reducing and
the the
timeNation
that information
individuals, other
organizations,
should the
systems
and
organizations
are
vulnerable
the same
exploit
directives not be implemented in a timely to
manner.
External
or
attack.
organizations include, for example, external mission/business
partners, supply chain partners, external service providers, and
The
numberorganizations.
of changes to organizational
othersignificant
peer/supporting
information systems and the environments in which those
systems
operate
the dissemination
of security-related
Transitional
statesrequires
for information
systems include,
for
information
to
a
variety
of
organizational
entities
that have a
example, system startup, restart, shutdown, and abort.
direct
interestprovided
in the success
of organizational
missionsfor
and
Notifications
by information
systems include,
business
functions.
Based
on
the
information
provided
by
the
example, electronic alerts to system administrators, messages
security
alerts andconsoles,
advisories,
changes
may be
required such
at one
to local computer
and/or
hardware
indications
or
more
of
the
three
tiers
related
to
the
management
of
as lights.
information security risk including the governance level,
mission/business process/enterprise architecture level, and the
information system level.
Organizational personnel with potential interest in security

function verification results include, for example, senior
information
security
officers,
information
system
Unauthorized
changes
to software,
firmware,
andsecurity
information
managers,
and
information
systems
security
officers.
can occur due to errors or malicious activity (e.g., tampering).
Software
includes,events
for example,
systems
(with key
Security-relevant
include,operating
for example,
the identification
internal
components
such
as
kernels,
drivers),
middleware,
of a new threat to which organizational information systemsand
are
applications.
Firmware
includes, of
fornew
example,
the Basic
Inputor
susceptible, and
the installation
hardware,
software,
Output
System
(BIOS).states
Information
includes
metadata
such as
firmware.
Transitional
include,
for example,
system
security
attributes
associated
with
information.
State-of-thestartup, restart, shutdown, and abort.
practice integrity-checking mechanisms (e.g., parity checks,
cyclical redundancy checks, cryptographic hashes) and
associated tools can automatically monitor the integrity of
The use of automated tools to report integrity violations and to

notify organizational personnel in a timely matter is an
essential precursor to effective risk response. Personnel having
an interest in integrity violations include, for example,
mission/business owners, information system owners, systems
administrators, software developers, systems integrators, and
information security officers.
Organizations may define different integrity checking and
anomaly responses: (i) by type of information (e.g., firmware,
software,
user mechanisms
data); (ii) by specific
(e.g.,
Cryptographic
used forinformation
the protection
of boot
integrity
firmware,
boot
firmware
for
a
specific
types
of
machines);
or
include, for example, digital signatures and the computation
(iii)
a
combination
of
both.
Automatic
implementation
of
and
application
of signed hashes
using
asymmetric
This
control
enhancement
helps to
ensure
that detected
events
specific
safeguards
withinthe
organizational
information
systems
cryptography,
protecting
confidentiality
of
the
key
used
to
are
tracked,
monitored,
corrected,
and
available
for historical
includes,
for
example,
reversing
the
changes,
halting
the
generate
the
hash, andhistorical
using therecords
public is
key
to verify both
the hash
purposes.
Maintaining
important
Organizations
select or
response
actions
on
types of for
information
system,
triggering
auditbased
alerts
when
information.
being
ablespecific
to identify
and discern
adversary
over an
software,
software,
or
foractions
which
there
are
unauthorized
modifications
to information
critical
security
files occur.
extended
period
of
time
and
for
possible
legal
actions.
potential
integrity
violations.
Ensuring
the integrity
of boot
processes
is criticalunauthorized
to starting
Security-relevant
changes
include,
for example,
devices
states. Integrity
verification
changesin
toknown/trustworthy
established configuration
settings or
unauthorized
mechanisms
provide
organizational
personnel
withbe
assurance
Unauthorized
modifications
to boot
firmware may
indicative
elevation of information
system
privileges.
that
only
trusted
code
is
executed
during
boot
processes.
of a sophisticated, targeted cyber attack. These types of cyber
attacks
can result
in a software
permanent
denial
(e.g.,
if the
Organizations
identify
that
may of
beservice
of greater
concern
firmware
is
corrupted)
or
a
persistent
malicious
code
presence
with regard to origin or potential for containing malicious code.
(e.g.,
if code
is embedded
within
the firmware).
can
For
this
type of
software,
user
installations
occurDevices
insoftware
confined
Organizations
verify
the
integrity
of user-installed
protect
the
integrity
of
the
boot
firmware
in
organizational
environments
of operation
tothe
limit
or contain
damage from
prior
to execution
to reduce
likelihood
of executing
information
systems
by: (i)
verifying
the integrity
and
malicious
code
that
may
be
executed.
malicious
code
or updates
code that
errors
fromprior
unauthorized
This
control
enhancement
applies
to all
sources
of
binary
authenticity
of all
tocontains
the boot
firmware
to or
modifications.
Organizations
consider
the
practicality
of
machine-executable
codeboot
including,
forand
example,
commercial
applying changes to the
devices;
(ii) preventing
approaches
toprocesses
verifying
software
integrity
including,
for
software/firmware
and open
source
software.
unauthorized
from
modifying
the
bootoffirmware.
This
control
enhancement
applies
toof
all
sources
binary or
example,
availability
of checksums
adequate
trustworthiness
machine-executable
code or
including,
from software developers
vendors.for example, commercial
software/firmware and open source software. Organizations
assess software products without accompanying source code
from sources with limited or no warranty for potential security
impacts. The assessments address the fact that these types of
software products may be very difficult to review, repair, or
Cryptographic
authentication
includes,
forcases,
example,
verifying
extend, given that
organizations,
in most
do not
have
that
software
firmware
components
access
to the or
original
source
code, andhave
therebeen
may digitally
be no owners
signed
using
certificates
recognized
and
approved
who
could
make
such
repairs
on
behalf
of
organizations.
This control enhancement addresses processes for by
which
organizations.
Code
signing
is be
an determined
effective method
to protectin
normal execution
periods
can
and situations
against
malicious
code.
which
organizations
exceed
such
Supervision
includes,
Information
system entry
and
exitperiods.
points include,
for example,
for
example,
operating
system
timers,
automated
responses,
firewalls, electronic mail servers, web servers, proxy servers, or
manual
oversight
and response
when mobile
information
system
remote-access
servers,
workstations,
devices,
and
process
anomalies
occur.
notebook/laptop computers. Spam can be transported by
different means including, for example, electronic mail,
electronic mail attachments, and web accesses. Spam
protection mechanisms include, for example, signature
Central management is the organization-wide management
definitions.
and implementation of spam protection mechanisms. Central
management includes planning, implementing, assessing,
authorizing, and monitoring the organization-defined, centrally
managed spam protection security controls.
Learning mechanisms include, for example, Bayesian filters

that respond to user inputs identifying specific traffic as spam
or legitimate by updating algorithm parameters and thereby
more accurately separating types of traffic.
Checking the valid syntax and semantics of information system
inputs (e.g., character set, length, numerical range, and
acceptable values) verifies that inputs match specified
definitions for format and content. Software applications
typically follow well-defined protocols that use structured
messages (i.e., commands or queries) to communicate
between software modules or system components. Structured
messages can contain raw or unstructured data interspersed
with metadata or control information. If software applications
use attacker-supplied inputs to construct structured messages
without properly encoding such messages, then the attacker
could insert malicious commands or special characters that can
Resolution
of input
validation
errors
includes,
for example,
cause the data
to be
interpreted
as control
information
or
correcting
causes
of module
errors and
resubmitting
metadata. systemic
Consequently,
the
or component
that
transactions
with corrected
input.
A
common
in organizational
information
systems
receives
thevulnerability
tainted
output
will
perform the
wrong operations
is
behavior
invalid inputs
are received.
This
or unpredictable
otherwise interpret
the when
data incorrectly.
Prescreening
inputs
control
enhancement
ensures
that
there
is
predictable
behavior
prior
to
passing
to
interpreters
prevents
the
content
from
being
In addressing invalid information system inputs received across
in
the face
of invalid
inputsinteractions
bycommands.
specifying
information
system
unintentionally
interpreted
as
Input relevant,
validation
protocol
interfaces,
timing
become
where
responses
that
facilitate
transitioning
the system
to known
helps
to ensure
accurate
and correct
inputs
and
prevent
one
protocol
needs
to
consider
the
impact
of
the
error
response
This
control
enhancement
applies the
concept
of of
whitelisting
states
without
unintended
side
attacks
such
asadverse,
cross-site
scripting
and
aeffects.
variety
injection to
on
other
protocols
within
the
protocol
stack.
For
example,
information
inputs.
Specifying
known
trusted
sources
for
attacks.
802.11
standard
wireless
network protocols
dosuch
not interact
well
information
inputs
and
acceptable
formats
for
inputs
can
Organizations
carefully
consider
the(TCP)
structure/content
ofare
error
with
Transmission
Control
Protocols
when
packets
reduce
the The
probability
of
activity. systems are able to
messages.
extent
to malicious
which
dropped (which
could be
due
toinformation
invalid packet
input). TCP
identify
handle
error
conditions
is guided by
organizational
assumesand
packet
losses
are
due to congestion,
while
packets
policy
and
operational
requirements.
Information
could be
lost over 802.11 links are typically dropped due tothat
collisions
or
exploited
by
adversaries
includes,
for
example,
erroneous
noise on the link. If TCP makes a congestion response, it takes
logon
attempts
with action
passwords
enteredtobya mistake
the
precisely
the wrong
in response
collision as
event.
username,
information
that
can be derived
Adversariesmission/business
may be able to use
apparently
acceptable
Information
handling
and
retention
requirements
the full
from
(if
not
stated
explicitly
by)
information
recorded,
and
individual behaviors of the protocols in concert tocover
achieve
life
cycle
of
information,
in
some
cases
extending
beyond
the
personal
information
such
as
account
numbers,
social
security
adverse effects through suitable construction of invalid input.
disposal
of
information
systems.
The
National
Archives
and
numbers,
and
credit
card
numbers.
In
addition,
error
messages
While MTTF is primarily a reliability issue, this control addresses
Records
Administration
provides
on records
retention.
may
provide
a covert
channel
forguidance
transmitting
information.
potential
failures
of specific
information
system
components
that provide security capability. Failure rates reflect installationspecific consideration, not industry-average. Organizations
define criteria for substitution of information system
components based on MTTF value with consideration for
resulting potential harm from component failures. Transfer of
responsibilities between active and standby components does
not compromise safety, operational readiness, or security
capability (e.g., preservation of state variables). Standby
components remain available at all times except for
maintenance issues or recovery failures in progress.
Automatic or manual transfer of components from standby to
active mode can occur, for example, upon detection of
component failures.
Failover refers to the automatic switchover to an alternate

information system upon the failure of the primary information
system.
Failover
capability
includes,
for example,
incorporating
This control
mitigates
risk from
advanced
persistent
threats
mirrored
information
system
operations
at
alternate
processing
(APTs) by significantly reducing the targeting capability of
sites
or periodic
data
mirroring
at regularand
intervals
defined
by
adversaries
(i.e.,include,
window
of example,
opportunity
available
attack
Trusted
sources
for
software/data
from
writerecovery
time
periods
of
organizations.
surface)
to initiate
and or
complete
cyber attacks.
By
once, read-only
media
from selected
off-line secure
storage
implementing
the
concept
of
non-persistence
for
selected
facilities.
Certain
types
of cyber
attacks (e.g.,
SQL injections)
producea
information
system
components,
organizations
can provide
output
results
that are unexpected
with
known state
computing
resource forora inconsistent
specific period
ofthe
time
output
results
that
would
normally
be
expected
from
software
Some
adversaries
attacks
with the
intent
executing
that does
not give launch
adversaries
sufficient
time
on of
target
to
programs
or applications.
This control
enhancement
focuses on
code
in vulnerabilities
non-executable
of memory
or in memory
exploit
inregions
organizational
information
systems
detecting
extraneous
content,
preventing
such
extraneous
locations
that are include,
prohibited.
safeguards
employed
and
theconditions
environments
in which
those systems
Sinceto
Failure
for Security
example,
lossmonitoring
of operate.
communications
content
from
being
displayed,
and
alerting
tools
protect
memory
include,
for
example,
data
execution
the
advanced
threat is a or
high-end
threat
with regard
among
critical persistent
system
components
between
system
that
anomalous
behavior
has been
discovered.
prevention
and
address
space
layout
randomization.
Datathat
to
capability,
intent,
and
targeting,
organizations
assume
components
and operational
facilities.
Fail-safe
procedures
Information
security
program
plans
can
be represented
in
execution
prevention
safeguards
can
either
be
hardwareover
an
extended
period
of
time,
a
percentage
of
cyber
attacks
include,
for example,
alerting operator
personnelatand
providing
single
documents
or
compilations
of
documents
the
enforced
or
software-enforced
with
hardware
providing
the
will
be
successful.
Non-persistent
information
system
specific
instructions
on subsequent
steps
to takethe
(e.g.,
do
discretion
of and
organizations.
The
plans
document
program
greater
strength
of
mechanism.
components
services
are
activated
as down
required
using
nothing,
reestablish
system
settings,
shut
processes,
management
controls and
and terminated
common
protected
information
periodically
or upon the
restart
the
system,
or
contact
designated
organizational
controls.
Information
security program
plansthe
provide
sufficient
end
of
sessions.
Non-persistence
increases
work
factor
of
personnel).
information
about
the
program
management
controls/common
adversaries in attempting to compromise or breach
controls
(including
specification
of parameters
for any
organizational
information
systems.
Non-persistent
system
assignment
and
selection
statements
either
explicitly
or by
components can be implemented, for example, by periodically
reference)
enable implementations
that areofunambiguously
re-imaging to
components
or by using a variety
common
compliant
with
the
intent
of
the
plans
and
a determination
virtualization techniques. Non-persistent services
can be of
the
risk
to
be
incurred
if
the
plans
are
implemented
implemented using virtualization techniques as part as
of virtual
intended.
plans for
machines The
or assecurity
new instances
ofindividual
processesinformation
on physicalsystems
and
the organization-wide
security program
plan
machines
(either persistentinformation
or non-persistent).The
benefit
of
together,
provide
complete
coverage
for
all
security
controls
periodic refreshes of information system components/services
employed
within
organization.
Common
controls
are
is that it does
notthe
require
organizations
to first
determine
documented
in
an
appendix
to
the
organizations
whether compromises of components or services have occurred
information
security
unless
controls are
(something that
mayprogram
often beplan
difficult
for the
organizations
to
included
in aThe
separate
plan information
for an information
determine).
refreshsecurity
of selected
systemsystem
(e.g.,
securityand
controls
employed
as part
of an intrusion
components
services
occurs with
sufficient
frequency to
detection
system
providing
organization-wide
boundary
prevent the spread or intended impact of attacks,
but not with
protection
inherited
by
one
or
more
organizational
information
such frequency that it makes the information system
unstable.
The
security
officer
described
in
this
control
is
an
systems).
The organization-wide
information
security
program
In some instances,
refreshes of critical
components
and
organizational
official.
For
a federal
agency
(as contain
defined in
plan
will
indicate
which
separate
security
plans
services may be done periodically in order to hinder the ability
applicable
federal
laws, Executive
Orders,
directives,
policies,
descriptions
ofconsider
common
controls.
have
the
Organizations
champions
for
information
of adversaries
to
exploitestablishing
optimumOrganizations
windows
of vulnerabilities.
or
regulations)
this
official
is
the
Senior
Agency
Information
flexibility
to
describe
common
controls
in
a
single
document
or
security efforts and as part of including the necessary
Security
Officer.
Organizations
may
also
refer
to
this
official
as
in
multiple
documents.
In
the
case
of
multiple
documents,
the
resources, assign specialized expertise and resources as
the
Senior
Information
Security
Officer
orare
Chief
Information
documents
describing common
controls
included
as
needed.
Organizations
may designate
and
empower
an
Security
Officer.
attachments
to
the
information
security
program
plan.
the
Investment Review Board (or similar group) to manage Ifand
information
security
program
plan
contains
multiple
provide oversight for the information security-related aspects
documents,
organization
specifies in
each document
of the capitalthe
planning
and investment
control
process. the
organizational official or officials responsible for the
development, implementation, assessment, authorization, and
monitoring of the respective common controls. For example,
the organization may require that the Facilities Management
Office develop, implement, assess, authorize, and continuously
monitor common physical and environmental protection
controls from the PE family when such controls are not
associated with a particular information system but instead,
The plan of action and milestones is a key document in the

information security program and is subject to federal reporting
requirements established by OMB. With the increasing
emphasis on organization-wide risk management across all
three tiers in the risk management hierarchy (i.e., organization,
mission/business process, and information system),
organizations view plans of action and milestones from an
organizational perspective, prioritizing risk response actions
and ensuring consistency with the goals and objectives of the
organization. Plan of action and milestones updates are based
on findings from security control assessments and continuous
monitoring activities. OMB FISMA reporting guidance contains
instructions regarding organizational plans of action and
milestones.
This control addresses the inventory requirements in FISMA.
OMB provides guidance on developing information systems
inventories
associatedare
reporting
requirements.
Forused
specific
Measures ofand
performance
outcome-based
metrics
by
information
system
inventory
reporting
requirements,
an organization to measure the effectiveness or efficiency of
organizations
consult
OMB
annualand
FISMA reporting
guidance.
the
security
program
security
controls
The information
enterprise architecture
developedthe
by the
organization
is
employed
in the
support
of the
program.
aligned with
Federal
Enterprise
Architecture. The
integration
of information
security
requirements
andofassociated
Protection strategies
are based
on the
prioritization
critical
security
controls
into
the
organizations
enterprise
assets and resources. The requirement and guidance for
architecture
helps
to ensure that
considerations
defining
critical
infrastructure
andsecurity
key resources
and for are
An
organization-wide
risk management
strategy
includes,
for
addressed
by
organizations
early
in
the
system
development
preparing
an unambiguous
associated critical
infrastructure
protection
plan
example,
an
expression
of
the
risk
tolerance
for
life
cycle
and
are directly
and explicitly
related Orders,
to the
are
found
in applicable
federal
laws,
Executive
the
organization,
acceptable
risk
assessment
methodologies,
organizations
mission/business
processes.
process of
directives,
policies,
regulations,
standards,
andThis
guidance.
risk
mitigation
strategies,
a
process
for
consistently
evaluating
security requirements integration also embeds into the
risk
across architecture,
the organization
with respect
to the security
enterprise
an integral
information
organizations
risk
tolerance,
and
approaches
for monitoring
architecture consistent with organizational risk management
risk
over
time.
The
use
of
a
risk
executive
function
can
and information security strategies. For PM-7, the information
facilitate
consistent,
organization-wide
application
of
the risk
security architecture is developed at a system-of-systems
level
management
strategy.
The organization-wide
risk management
(organization-wide),
representing
all of the organizational
strategy
cansystems.
be informed
by risk-related
inputssecurity
from
otherand
Security
authorization
processes
information
systems
information
For
PL-8,
thefor
information
sources
both
internal
and
external
to
the
organization
to
environments
operationatrequire
implementation
ofensure
an
architecture is of
developed
a levelthe
representing
an individual
the
strategy
is
both
broad-based
and
comprehensive.
organization-wide
process,
a Risk
information systemrisk
butmanagement
at the same time,
is consistent
with the
Management
Framework,
and associated
security
standards
architecture
defined for
the organization.
and
guidelines.
Specificand
roles
withincontrol
the riskintegration
management
Security
requirements
security
are most
process
include
an organizational
risk application
executive (function)
and
effectively
accomplished
through the
of the Risk
designated
authorizing
officials
for each organizational
Management
Framework
and supporting
security standards
information
system
common
control
provider. Security
and guidelines.
The and
Federal
Segment
Architecture
Methodology
authorization
processes
are integrated
with organizational
provides guidance
on integrating
information
security
continuous
processes
tointo
facilitate
ongoing
requirements
and security
controls
enterprise
Information monitoring
protection
needs
are technology-independent,
understanding
and
acceptance
of
risk
to
organizational
architectures.
required capabilities to counter threats to organizations,
operations
assets,
individuals,
other
organizations,
individuals,and
or the
Nation
through the
compromise
of and the
Nation.
information (i.e., loss of confidentiality, integrity, or
availability). Information protection needs are derived from the
mission/business needs defined by the organization, the
mission/business processes selected to meet the stated needs,
Organizations
handlingrisk
classified
information
are required,
and the organizational
management
strategy.
Information
under
Executive
13587
and
the National
Policy
on Insider
protection
needsOrder
determine
the
required
security
controls
for
Threat,
to establish
threat programs.
The systems
standards and
the organization
andinsider
the associated
information
guidelines
apply to insider threat
programs
in classified
supporting that
the mission/business
processes.
Inherent
in defining
environments
can also
be employed
effectively
to is
improve
the
an organizations
information
protection
needs
an
security
of Controlled
Unclassified
Information
in non-national
understanding
of the level
of adverse
impact that
could result if
security
systems.
Insider threat
programs
include security
a compromise
of information
occurs.
The security
controls
to detect
and prevent
malicious
insider
activity
categorization
process
is used to
make such
potential
impact
Information security workforce development and improvement

programs include, for example: (i) defining the knowledge and
skill
perform
information
security
duties for
and
This levels
controlneeded
ensurestothat
organizations
provide
oversight
tasks;
(ii) developing
role-based
programs
for
the security
testing, training,
andtraining
monitoring
activities
individuals
assigned
information
security
roles
and
conducted organization-wide and that those activities are
responsibilities;
and
providing of
standards
for measuring
coordinated. With
the(iii)
importance
continuous
monitoring and
building
individual
qualifications
for
incumbents
and applicants
programs, the implementation of information security
across
for
information
security-related
positions.
Such
workforce
the three tiers of the risk management hierarchy, and the
programs
can
also
include associated
widespread
use
of common
controls, organizations
coordinate
career
paths
to
encourage:
(i)
information
and consolidate the testing and monitoringsecurity
activities that are
professionals
to advance
in the
field and
fill positions with
routinely conducted
as part
of ongoing
organizational
greater
responsibility;
and
(ii)
organizations
fill information
assessments supporting a variety of securitytocontrols.
Security
security-related
positions
with
qualified
personnel.
Information
training activities, while typically focused on individual
security
workforce
development
improvement
programs
information
systems
and specificand
roles,
also necessitate
Ongoing
contact
with
security
groups
and
associations
of
are
complementary
to
organizational
security
awareness
coordination across all organizational elements. Testing,is and
paramount
importance
in
an
environment
of
rapidly
changing
training
programs.
Information
security
workforce
development
training, and monitoring plans and activities are informed by
technologies
Security
groups
and associations
and
improvement
programs
focus
on
developing
and
current
threatand
andthreats.
vulnerability
assessments.
include,
for
example,
special
interest
groups,
forums,
institutionalizing core information security capabilities of
professional
associations,
groups,
and/or peer groups of
selected personnel
needednews
to protect
organizational
security
professionals
similar organizations. Organizations
operations,
assets, andinindividuals.
select groups and associations based on organizational
missions/business functions. Organizations share threat,
vulnerability, and incident information consistent with
applicable
laws, Executive
Orders,
directives, policies,
Because offederal
the constantly
changing
and increasing
regulations,
standards,
and
guidance.
sophistication of adversaries, especially the advanced
persistent threat (APT), it is becoming more likely that
adversaries may successfully breach or compromise
organizational information systems. One of the best techniques
to address this concern is for organizations to share threat
information. This can include, for example, sharing threat
events (i.e., tactics, techniques, and procedures) that
organizations have experienced, mitigations that organizations
have found are effective against certain types of threats, threat
intelligence (i.e., indications and warnings about threats that
are likely to occur). Threat information sharing may be bilateral
(e.g., government-commercial cooperatives, governmentgovernment cooperatives), or multilateral (e.g., organizations
taking part in threat-sharing consortia). Threat information may
be highly sensitive requiring special agreements and
protection, or less sensitive and freely shared.
RELATED
PM-9
AC-3,AC-4,AC-5,AC-6,AC-10,AC-17,AC19,AC-20,AU-9,IA-2,IA-4,IA-5,IA-8,CM5,CM-6,CM-11,MA-3,MA-4,MA-5,PL4,SC-13
AU-2,AU-12
SC-23
AC-16
AC-16
CA-7
PS-4
AC-2,AC-4,AC-5,AC-6,AC-16,AC-17,AC18,AC-19,AC-20,AC-21,AC-22,AU9,CM-5,CM-6,CM-11,MA-3,MA-4,MA5,PE-3
CP-9,MP-6
AC-25,SC-11
CM-3
AU-2,AU-6
AC-3,AC-17,AC-19,AC-21,CM-6,CM7,SA-8,SC-2,SC-5,SC-7,SC-18
AC-16
SI-4
SI-4
AC-16,SI-7
SI-3
IA-2,IA-3,IA-4,IA-5
AC-16,SC-16
AC-3,AC-6,PE-3,PE-4,PS-2
AC-2,AC-3,AC-5,CM-6,CM-7,PL-2
AC-17,AC-18,AC-19
PL-4
AC-17
AC-4,SC-3,SC-30,SC-32
CM-6
IA-8
CA-7
AU-2
AC-2,AC-9,AC-14,IA-5
AC-19,MP-5,MP-6,SC-13
AC-7,PL-4
AC-7
SC-10,SC-23
CP-2,IA-2
AC-3,AC-4,AC-6,AC-21,AU-2,AU-10,SC16,MP-3
AC-4
AC-6,AU-2
AC-2,AC-3,AC-18,AC-19,AC-20,CA3,CA-7,CM-8,IA-2,IA-3,IA-8,MA-4,PE17,PL-4,SC-10,SI-4
AU-2,AU-12
SC-8,SC-12,SC-13
SC-7
AC-6
AT-2,AT-3,PS-6
AC-2,AC-3,AC-17,AC-19,CA-3,CA-7,CM8,IA-2,IA-3,IA-8,PL-4,SI-4
SC-8,SC-13
AC-19
AC-3,SC-15
PE-19
AC-3,AC-7,AC-18,AC-20,CA-9,CM-2,IA2,IA-3,MP-2,MP-4,MP-5,PL-4,SC-7,SC43,SI-3,SI-4
CA-6,IR-4
MP-5,SC-13,SC-28
AC-3,AC-17,AC-19,CA-3,PL-4,SA-9
CA-2
AC-3
AC-3,AC-4,AT-2,AT-3,AU-13
AC-3,AC-16,SC-3,SC-39
PM-9
AT-3,AT-4,PL-4
CA-2,CA-7,CP-4,IR-3
PL-4,PM-12,PS-3,PS-6
AT-2,AT-4,PL-4,PS-7,SA-3,SA-12,SA-16
PE-1,PE-13,PE-14,PE-15
PE-2,PE-3,PE-4,PE-5
AT-2,AT-3,PM-14
PM-9
AC-6,AC-17,AU-3,AU-12,MA-4,MP2,MP-4,SI-4
AU-2,AU-8,AU-12,SI-11
AU-6,AU-7
AU-2,AU-5,AU-6,AU-7,AU-11,SI-4
AU-4,SI-12
AU-15
AC-2,AC-3,AC-6,AC-17,AT-3,AU-7,AU16,CA-7,CM-5,CM-10,CM-11,IA-3,IA5,IR-5,IR-6,MA-4,MP-4,PE-3,PE-6,PE14,PE-16,RA-5,SC-7,SC-18,SC-19,SI3,SI-4,SI-7
AU-12,PM-7
AU-12,IR-4
AU-2,AU-12
AU-12,IR-4,RA-5
AU-3,AU-9,AU-11,AU-12
AT-2
AU-6
AU-2,AU-12
AU-3,AU-12
AC-3,AC-6,MP-2,MP-4,PE-2,PE-3,PE-6
AU-4,AU-5
AU-4,AU-5,AU-11
AU-10,SC-12,SC-13
AC-5
AC-3,MP-2
SC-12,SC-8,SC-13,SC-16,SC-17,SC-23
AC-4,AC-16
AC-3,AC-4,AC-16
AC-4,AC-16
AC-4,AC-16
AU-4,AU-5,AU-9,MP-6
AC-3,AU-2,AU-3,AU-6,AU-7
AU-8,AU-12
AU-7
PE-3,SC-7
AC-3,AU-4,AU-5,AU-9,AU-11
AU-5
AU-6
PM-9
CA-5,CA-6,CA-7,PM-9,RA-5,SA-11,SA12,SI-4
PE-3,SI-2
AC-3,AC-4,AC-20,AU-2,AU-12,AU16,CA-7,IA-3,SA-9,SC-7,SI-4
CM-7
CA-2,CA-7,CM-4,PM-4
CA-2,CA-7,PM-9,PM-10
CA-2,CA-5,CA-6,CM-3,CM-4,PM-6,PM9,RA-5,SA-11,SA-12,SI-2,SI-4
SA-12
CA-2
AC-3,AC-4,AC-18,AC-19,AU-2,AU12,CA-7,CM-2,IA-3,SC-7,SI-4
CM-6
PM-9
CM-3,CM-6,CM-8,CM-9,SA-10,PM5,PM-7
CM-5
CM-7,RA-5
CM-4,SC-3,SC-7
CA-7,CM-2,CM-4,CM-5,CM-6,CM-9,SA10,SI-2,SI-12
SC-13
CA-2,CA-7,CM-3,CM-9,SA-4,SA-5,SA10,SI-2
SA-11,SC-3,SC-7
SA-11
AC-3,AC-6,PE-3
AU-2,AU-12,AU-6,CM-3,CM-6
AU-6,AU-7,CM-3,CM-5,PE-6,PE-8
CM-7,SC-13,SI-7
AC-5,CM-3
AC-2
AC-2
AC-19,CM-2,CM-3,CM-7,SI-4
CA-7,CM-4
IR-4,SI-7
AC-6,CM-2,RA-5,SA-5,SC-7
AC-18,CM-7,IA-2
CM-8,PM-5
CM-6,CM-8,PM-5
CM-2,CM-6,CM-8,PM-5,SA-10,SC-34,SI7
CM-2,CM-6,PM-5
SI-7
AC-17,AC-18,AC-19,CA-7,SI-3,SI-4,SI7,RA-5
CM-2,CM-6
SA-4
CM-2,CM-3,CM-4,CM-5,CM-8,SA-10
AC-17,CM-8,SC-7
AC-3,CM-2,CM-3,CM-5,CM-6,CM-7,PL-4
CA-7,SI-4
AC-6
PM-9
AC-14,CP-6,CP-7,CP-8,CP-9,CP-10,IR4,IR-8,MP-2,MP-4,MP-5,PM-8,PM-11
PE-12
PE-12
PE-12
PE-12
SA-9
SA-14,SA-15
AT-2,AT-3,CP-2,IR-2
CP-2,CP-3,IR-3
IR-8,PM-8
CP-7
CP-10,SC-24
CP-2,CP-7,CP-9,CP-10,MP-4
RA-3
RA-3
CP-2,CP-6,CP-8,CP-9,CP-10,MA-6
RA-3
RA-3
CM-2,CM-6
CP-2,CP-6,CP-7
CP-2,CP-6,MP-4,MP-5,SC-13
CP-4
CP-4
CM-2,CM-8
CP-7,CP-10
AC-3,MP-2
CA-2,CA-6,CA-7,CP-2,CP-6,CP-7,CP9,SC-24
CM-2
AC-3,AC-6,PE-3
CP-2
PM-9
AC-2,AC-3,AC-14,AC-17,AC-18,IA-4,IA5,IA-8
AC-6
AC-6
AC-6
AC-6
AU-2,PE-3,SA-4
IA-10,IA-11,SC-37
AC-17,AC-18,AC-19,CA-3,IA-4,IA-5
SC-8,SC-12,SC-13
AU-2,AU-3,AU-6,AU-12
AC-2,IA-2,IA-3,IA-5,IA-8,SC-37
AT-2
AT-2
AC-16
AC-2,AC-3,AC-6,CM-6,IA-2,IA-4,IA-8,PL4,PS-5,PS-6,SC-12,SC-13,SC-17,SC-28
IA-6
IA-6
CA-2,CA-7,RA-5
PE-18
SC-12,SC-13
AC-2,AC-14,AC-17,AC-18,IA-2,IA-4,IA5,MA-4,RA-3,SA-12,SC-8
AU-2,PE-3,SA-4
AU-2
SA-4
SA-4
AU-2
SC-8
AU-6,SI-4
AC-11
PM-9
AT-3,CP-3,IR-8
CP-4,IR-8
AT-2
AU-6,CM-6,CP-2,CP-4,IR-2,IR-3,IR-8,PE6,SC-5,SC-7,SI-3,SI-4,SI-7
AC-2,AC-4,AC-16,CM-2,CM-3,CM-4
CP-10
AU-6,IR-8,PE-6,SC-5,SC-7,SI-3,SI-4,SI-7
AU-7,IR-4
IR-4,IR-5,IR-8
IR-7
AT-2,IR-4,IR-6,IR-8,SA-9
MP-2,MP-4,MP-5
PM-9
CM-3,CM-4,MA-4,MP-6,PE-16,SA-12,SI2
CA-7,MA-3
MA-2,MA-5,MP-6
SI-7
SI-3
AC-2,AC-3,AC-5,AC-6
AC-2,AC-3,AC-6,AC-17,AU-2,AU-3,IA2,IA-4,IA-5,IA-8,MA-2,MA-5,MP-6,PL2,SC-7,SC-10,SC-17
AU-2,AU-6,AU-12
MA-3,SA-12,SI-3,SI-7
SC-13
SC-8,SC-13
SC-13
AC-2,IA-8,MP-2,PE-2,PE-3,PE-4,RA-3
MP-6,PL-2
PS-3
PS-3
PS-3
CM-8,CP-2,CP-7,SA-14,SA-15
PM-9
AC-3,IA-2,MP-4,PE-2,PE-3,PL-2
AC-16,PL-2,RA-3
CP-6,CP-9,MP-2,MP-7,PE-3
AU-2,AU-9,AU-6,AU-12
AC-19,CP-9,MP-3,MP-4,RA-3,SC-8,SC13,SC-28
MP-2
MA-2,MA-4,RA-3,SC-4
SI-12
SI-3
AC-3,MP-2
AC-19,PL-4
PL-4
MP-6
PM-9
PE-3,PE-4,PS-3
AC-2,AC-3,AC-6
IA-2,IA-4,IA-5
PS-2,PS-6
AU-2,AU-6,MP-2,MP-4,PE-2,PE-4,PE5,PS-3,RA-3
PS-2
AC-4,SC-7
CP-6,CP-7
SA-12
CA-2,CA-7
MP-2,MP-4,PE-2,PE-3,PE-5,SC-7,SC-8
PE-2,PE-3,PE-4,PE-18
CA-7,IR-4,IR-8
SI-4
PS-2,PS-3
PE-4
PE-15
AT-3,CP-2,CP-7
CP-2,CP-7
AT-3
AT-3
CM-3,MA-2,MA-3,MP-5,SA-12
AC-17,CP-7
CP-2,PE-19,RA-3
PM-8
CM-8
PM-9
AC-2,AC-6,AC-14,AC-17,AC-20,CA2,CA-3,CA-7,CM-9,CP-2,IR-8,MA-4,MA5,MP-2,MP-4,MP-5,PL-7,PM-1,PM-7,PM8,PM-9,PM-11,SA-5,SA-17
CP-4,IR-4
AC-2,AC-6,AC-8,AC-9,AC-17,AC-18,AC19,AC-20,AT-2,AT-3,CM-11,IA-2,IA-4,IA5,MP-7,PS-6,PS-8,SA-5
PL-2
CM-2,CM-6,PL-2,PM-7,SA-5,SA17,Appendix J
SC-29,SC-36
SA-12
PM-9
AT-3,PL-2,PS-3
AC-2,IA-4,PE-2,PS-2
AC-3,AC-4
AC-3,AC-4
AC-2,IA-4,PE-2,PS-5,PS-6
AC-2,IA-4,PE-2,PS-4
PL-4,PS-2,PS-3,PS-4,PS-8
PS-2,PS-3,PS-4,PS-5,PS-6,SA-9,SA-21
PL-4,PS-6
PM-9
CM-8,MP-4,RA-3,SC-7
RA-2,PM-9
CA-2,CA-7,CM-4,CM-6,RA-2,RA-3,SA11,SI-2
SI-3,SI-7
SI-3,SI-5
AU-13
IR-4,IR-5,SI-4
AU-6
PM-9
PM-3,PM-11
AT-3,PM-7,SA-8
CM-6,PL-2,PS-7,SA-3,SA-5,SA-8,SA11,SA-12
SA-5
SA-5
SA-12
CM-8
SC-8,SC-12,SC-13
SC-12,SC-13
CA-7
CM-7,SA-9
IA-2,IA-8
CM-6,CM-8,PL-2,PL-4,PS-2,SA-3,SA-4
PM-7,SA-3,SA-4,SA-17,SC-2,SC-3
CA-3,IR-7,PS-7
CA-6,RA-3
CM-7
CM-3,CM-4,CM-9,SA-12,SI-2
SI-7
SI-7
CA-2,CM-4,SA-3,SA-4,SA-5,SI-2
PM-15,RA-5
AT-3,CA-7,RA-5,SA-12
AT-3,CM-8,IR-4,PE-16,PL-8,SA-3,SA4,SA-8,SA-10,SA-14,SA-15,SA-18,SA19,SC-29,SC-30,SC-38,SI-7
SA-19
CA-2,SA-11
SA-15
RA-5
RA-2,SA-4,SA-8,SA-14,SC-3
CP-2,PL-2,PL-8,PM-1,SA-8,SA-12,SA13,SA-15,SA-20
SA-3,SA-8
SA-4,SA-14
SA-4
CM-7
RA-5
IR-8
AT-2,AT-3,SA-5
PL-8,PM-7,SA-3,SA-8
SA-5
SA-5
SA-5
SC-3
SA-11
AC-5,AC-6
PE-3,SA-12,SI-7
SA-3
SI-4
PE-3,SA-12,SI-7
CP-2,SA-8,SA-14
PS-3,PS-7
PL-2,SA-3
PM-9
SA-4,SA-8,SC-3
AC-3
AC-3,AC-6,SA-4,SA-5,SA-8,SA-13,SC2,SC-7,SC-39
AC-3,AC-4,MP-6
SC-6,SC-7
CA-7,SI-4
AC-4,AC-17,CA-3,CM-7,CP-8,IR-4,RA3,SC-5,SC-13
SC-8
AC-3,AU-2
AU-2,AU-6,SC-38,SC-44,SI-3,SI-4
SI-3
AC-3
SA-8,SC-2,SC-3
PE-4,PE-19
AC-2,AC-3,AU-2,SI-4
SC-4
CP-2,SC-24
CA-9,SC-3
AC-17,PE-4
SC-13
AU-10
SC-12,SC-13
SC-12,SC-13
AC-16,AC-25
SC-13,SC-17
AC-2,AC-3,AC-7,AC-17,AC-18,AU-9,AU10,CM-11,CP-9,IA-3,IA-7,MA-4,MP2,MP-4,MP-5,SA-4,SC-8,SC-12,SC28,SI-7
AC-21
AC-3,AC-4,AC-16
AU-10,SC-8
SC-12
AU-2,AU-12,CM-2,CM-6,SI-3
CM-6,SC-7,SC-15
AU-10,SC-8,SC-12,SC-13,SC-21,SC-22
SC-20,SC-22
SC-2,SC-20,SC-21,SC-24
SC-8,SC-10,SC-11
SC-13
SC-13
CP-2,CP-10,CP-12,SC-7,SC-22
SC-30
SC-30,SC-44,SI-3,SI-4
SC-29
AC-3,AC-6,CA-7,CM-3,CM-5,CM-6,PE3,SC-8,SC-13,SI-3,SI-7
AC-19,SC-12
SA-12,SA-14,SC-27
SC-26,SC-29,SI-14
AC-3,AC-4,PL-2
AC-4,SA-8,SC-2,SC-3,SC-7
AC-3,SI-7
AC-19,MP-7
AC-5,CM-3,CM-5,CM-9,MP-2,MP-4,MP5,SA-12,SC-28,SI-3
SC-26,SC-44,SI-3,SI-4
CP-6,CP-7
SI-4
AC-2,CM-3,CM-5,CM-7,IA-4,IA-5,MA4,SC-12,SI-3,SI-4,SI-7
RA-2,RA-5,SA-12
AC-3,AC-4,AC-6,SA-4,SA-5,SA-8,SC2,SC-3
AC-18,SC-5
SC-12,SC-13
SC-12,SC-13
SC-12,SC-13
SC-12,SC-13
CM-6,SC-7
SC-7,SC-25,SC-26,SC-30
PM-9
CA-2,CA-7,CM-3,CM-5,CM-8,MA-2,IR4,RA-5,SA-10,SA-11,SI-11
CM-6,SI-4
CM-3,MP-2,SA-4,SA-8,SA-12,SA-13,SC7,SC-26,SC-44,SI-2,SI-4,SI-7
AU-2,SI-8
SI-8
AC-6,CM-5
CA-2,CA-7,RA-5
AU-6
SC-12,SC-13,SC-23
AC-3,AC-4,AC-8,AC-17,AU-2,AU-6,AU7,AU-9,AU-12,CA-7,IR-4,PE-3,RA-5,SC7,SC-26,SC-35,SI-3,SI-7
AU-5,PE-6
CP-9
AC-18,IA-3
AC-18,IA-3
AC-18
AU-6
SA-12
AC-6,CM-7,SA-5,SA-9
SI-2
CA-7,CM-6
SI-2
SA-12,SI-4,SI-5
SA-12,SC-8,SC-13,SI-3
AU-3,SI-2,SI-8
SC-13
IR-4,IR-5,SI-4
AU-2,AU-6,AU-12
SA-5
AT-2,AT-3,SC-5,SC-7,SI-3
AU-3,SI-2,SI-7
CM-3,CM-5
AU-2,AU-3,SC-31
AC-16,AU-5,AU-11,MP-2,MP-4
CP-2,CP-10,MA-6
SC-30,SC-34
SI-3,SI-4
AC-25,SC-3
CP-12,CP-13,SC-24,SI-13
PM-8
PM-4,SA-2
CA-5
PL-2,PL-8,PM-11,RA-2,SA-3
PM-1,PM-9,PM-11,RA-3
RA-3
CA-6
PM-7,PM-8,RA-2
AC-6,AT-2,AU-6,AU-7,AU-10,AU-12,AU13,CA-7,IA-4,IR-4,MP-7,PE-2,PS-3,PS4,PS-5,PS-8,SC-7,SC-38,SI-4,PM-1,PM14
AT-2,AT-3
AT-3,CA-7,CP-4,IR-3,SI-4
SI-5
PM-12,PM-16

NIST SP 800 53r4 Controls

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NIST SP 800 53r4 Controls

Uploaded by

Copyright:

Available Formats

FAMILY

ACCESS CONTROL POLICY AND

ACCESS CONTROL POLICY AND

ACCESS CONTROL POLICY AND

ACCESS CONTROL POLICY AND

ACCESS CONTROL POLICY AND

ACCESS CONTROL POLICY AND

ACCESS CONTROL POLICY AND

AUTOMATED SYSTEM ACCOUNT

REMOVAL OF TEMPORARY / EMERGENCY

DISABLE INACTIVE ACCOUNTS

AUTOMATED AUDIT ACTIONS

DYNAMIC PRIVILEGE MANAGEMENT

DYNAMIC ACCOUNT CREATION

RESTRICTIONS ON USE OF SHARED / GROUP

SHARED / GROUP ACCOUNT CREDENTIAL

ACCOUNT MONITORING / ATYPICAL USAGE

ACCOUNT MONITORING / ATYPICAL USAGE

ACCOUNT MONITORING / ATYPICAL USAGE

DISABLE ACCOUNTS FOR HIGH-RISK

RESTRICTED ACCESS TO PRIVILEGED

MANDATORY ACCESS CONTROL

MANDATORY ACCESS CONTROL

MANDATORY ACCESS CONTROL

MANDATORY ACCESS CONTROL

MANDATORY ACCESS CONTROL

MANDATORY ACCESS CONTROL

MANDATORY ACCESS CONTROL

MANDATORY ACCESS CONTROL

MANDATORY ACCESS CONTROL

DISCRETIONARY ACCESS CONTROL

DISCRETIONARY ACCESS CONTROL

DISCRETIONARY ACCESS CONTROL

DISCRETIONARY ACCESS CONTROL

DISCRETIONARY ACCESS CONTROL

DISCRETIONARY ACCESS CONTROL

PROTECTION OF USER AND SYSTEM

ROLE-BASED ACCESS CONTROL

REVOCATION OF ACCESS AUTHORIZATIONS

AUDITED OVERRIDE OF ACCESS CONTROL

INFORMATION FLOW ENFORCEMENT

OBJECT SECURITY ATTRIBUTES

DYNAMIC INFORMATION FLOW CONTROL

CONTENT CHECK ENCRYPTED INFORMATION

EMBEDDED DATA TYPES

ONE-WAY FLOW MECHANISMS

SECURITY POLICY FILTERS

ENABLE / DISABLE SECURITY POLICY FILTERS

CONFIGURATION OF SECURITY POLICY

DATA TYPE IDENTIFIERS

DECOMPOSITION INTO POLICY-RELEVANT

SECURITY POLICY FILTER CONSTRAINTS

SECURITY ATTRIBUTE BINDING

PHYSICAL / LOGICAL SEPARATION OF

AUTHORIZE ACCESS TO SECURITY

NON-PRIVILEGED ACCESS FOR

NETWORK ACCESS TO PRIVILEGED

SEPARATE PROCESSING DOMAINS

PRIVILEGED ACCESS BY NONORGANIZATIONAL USERS

REVIEW OF USER PRIVILEGES

REVIEW OF USER PRIVILEGES

REVIEW OF USER PRIVILEGES

PRIVILEGE LEVELS FOR CODE EXECUTION

AUDITING USE OF PRIVILEGED FUNCTIONS