Control Browser
Home
NIST_SP800-53@R5
AC-1
AC-2
AC-2(1) - Account Management | Automated System Account Management
AC-2(2) - Account Management | Automated Temporary and Emergency Account Management
AC-2(3) - Account Management | Disable Accounts
AC-2(4) - Account Management | Automated Audit Actions
AC-2(5) - Account Management | Inactivity Logout
AC-2(6) - Account Management | Dynamic Privilege Management
AC-2(7) - Account Management | Privileged User Accounts
AC-2(8) - Account Management | Dynamic Account Management
AC-2(9) - Account Management | Restrictions on Use of Shared and Group Accounts
AC-2(10) - Account Management | Shared and Group Account Credential Change
AC-2(11) - Account Management | Usage Conditions
AC-2(12) - Account Management | Account Monitoring for Atypical Usage
AC-2(13) - Account Management | Disable Accounts for High-risk Individuals
AC-3
AC-3(1) - Access Enforcement | Restricted Access to Privileged Functions
AC-3(2) - Access Enforcement | Dual Authorization
AC-3(3) - Access Enforcement | Mandatory Access Control
AC-3(4) - Access Enforcement | Discretionary Access Control
AC-3(5) - Access Enforcement | Security-relevant Information
AC-3(6) - Access Enforcement | Protection of User and System Information
AC-3(7) - Access Enforcement | Role-based Access Control
AC-3(8) - Access Enforcement | Revocation of Access Authorizations
AC-3(9) - Access Enforcement | Controlled Release
AC-3(10) - Access Enforcement | Audited Override of Access Control Mechanisms
AC-3(11) - Access Enforcement | Restrict Access to Specific Information Types
AC-3(12) - Access Enforcement | Assert and Enforce Application Access
AC-3(13) - Access Enforcement | Attribute-based Access Control
AC-3(14) - Access Enforcement | Individual Access
AC-3(15) - Access Enforcement | Discretionary and Mandatory Access Control
AC-4
AC-4(1) - Information Flow Enforcement | Object Security and Privacy Attributes
AC-4(2) - Information Flow Enforcement | Processing Domains
AC-4(3) - Information Flow Enforcement | Dynamic Information Flow Control
AC-4(4) - Information Flow Enforcement | Flow Control of Encrypted Information
AC-4(5) - Information Flow Enforcement | Embedded Data Types
AC-4(6) - Information Flow Enforcement | Metadata
AC-4(7) - Information Flow Enforcement | One-way Flow Mechanisms
AC-4(8) - Information Flow Enforcement | Security and Privacy Policy Filters
AC-4(9) - Information Flow Enforcement | Human Reviews
AC-4(10) - Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters
AC-4(11) - Information Flow Enforcement | Configuration of Security or Privacy Policy Filters
AC-4(12) - Information Flow Enforcement | Data Type Identifiers
AC-4(13) - Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents
AC-4(14) - Information Flow Enforcement | Security or Privacy Policy Filter Constraints
AC-4(15) - Information Flow Enforcement | Detection of Unsanctioned Information
AC-4(16) - Information Flow Enforcement | Information Transfers on Interconnected Systems
AC-4(17) - Information Flow Enforcement | Domain Authentication
AC-4(18) - Information Flow Enforcement | Security Attribute Binding
AC-4(19) - Information Flow Enforcement | Validation of Metadata
AC-4(20) - Information Flow Enforcement | Approved Solutions
AC-4(21) - Information Flow Enforcement | Physical or Logical Separation of Information Flows
AC-4(22) - Information Flow Enforcement | Access Only
AC-4(23) - Information Flow Enforcement | Modify Non-releasable Information
AC-4(24) - Information Flow Enforcement | Internal Normalized Format
AC-4(25) - Information Flow Enforcement | Data Sanitization
AC-4(26) - Information Flow Enforcement | Audit Filtering Actions
AC-4(27) - Information Flow Enforcement | Redundant/independent Filtering Mechanisms
AC-4(28) - Information Flow Enforcement | Linear Filter Pipelines
AC-4(29) - Information Flow Enforcement | Filter Orchestration Engines
AC-4(30) - Information Flow Enforcement | Filter Mechanisms Using Multiple Processes
AC-4(31) - Information Flow Enforcement | Failed Content Transfer Prevention
AC-4(32) - Information Flow Enforcement | Process Requirements for Information Transfer
AC-5
AC-6
AC-6(1) - Least Privilege | Authorize Access to Security Functions
AC-6(2) - Least Privilege | Non-privileged Access for Nonsecurity Functions
AC-6(3) - Least Privilege | Network Access to Privileged Commands
AC-6(4) - Least Privilege | Separate Processing Domains
AC-6(5) - Least Privilege | Privileged Accounts
AC-6(6) - Least Privilege | Privileged Access by Non-organizational Users
AC-6(7) - Least Privilege | Review of User Privileges
AC-6(8) - Least Privilege | Privilege Levels for Code Execution
AC-6(9) - Least Privilege | Log Use of Privileged Functions
AC-6(10) - Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions
AC-7
AC-7(1) - Unsuccessful Logon Attempts | Automatic Account Lock
AC-7(2) - Unsuccessful Logon Attempts | Purge or Wipe Mobile Device
AC-7(3) - Unsuccessful Logon Attempts | Biometric Attempt Limiting
AC-7(4) - Unsuccessful Logon Attempts | Use of Alternate Authentication Factor
AC-8
AC-9
AC-9(1) - Previous Logon Notification | Unsuccessful Logons
AC-9(2) - Previous Logon Notification | Successful and Unsuccessful Logons
AC-9(3) - Previous Logon Notification | Notification of Account Changes
AC-9(4) - Previous Logon Notification | Additional Logon Information
AC-10
AC-11
AC-11(1) - Device Lock | Pattern-hiding Displays
AC-12
AC-12(1) - Session Termination | User-initiated Logouts
AC-12(2) - Session Termination | Termination Message
AC-12(3) - Session Termination | Timeout Warning Message
AC-13
AC-14
AC-14(1) - Permitted Actions Without Identification or Authentication | Necessary Uses
AC-15
AC-16
AC-16(1) - Security and Privacy Attributes | Dynamic Attribute Association
AC-16(2) - Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals
AC-16(3) - Security and Privacy Attributes | Maintenance of Attribute Associations by System
AC-16(4) - Security and Privacy Attributes | Association of Attributes by Authorized Individuals
AC-16(5) - Security and Privacy Attributes | Attribute Displays on Objects to Be Output
AC-16(6) - Security and Privacy Attributes | Maintenance of Attribute Association
AC-16(7) - Security and Privacy Attributes | Consistent Attribute Interpretation
AC-16(8) - Security and Privacy Attributes | Association Techniques and Technologies
AC-16(9) - Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms
AC-16(10) - Security and Privacy Attributes | Attribute Configuration by Authorized Individuals
AC-17
AC-17(1) - Remote Access | Monitoring and Control
AC-17(2) - Remote Access | Protection of Confidentiality and Integrity Using Encryption
AC-17(3) - Remote Access | Managed Access Control Points
AC-17(4) - Remote Access | Privileged Commands and Access
AC-17(5) - Remote Access | Monitoring for Unauthorized Connections
AC-17(6) - Remote Access | Protection of Mechanism Information
AC-17(7) - Remote Access | Additional Protection for Security Function Access
AC-17(8) - Remote Access | Disable Nonsecure Network Protocols
AC-17(9) - Remote Access | Disconnect or Disable Access
AC-17(10) - Remote Access | Authenticate Remote Commands
AC-18
AC-18(1) - Wireless Access | Authentication and Encryption
AC-18(2) - Wireless Access | Monitoring Unauthorized Connections
AC-18(3) - Wireless Access | Disable Wireless Networking
AC-18(4) - Wireless Access | Restrict Configurations by Users
AC-18(5) - Wireless Access | Antennas and Transmission Power Levels
AC-19
AC-19(1) - Access Control for Mobile Devices | Use of Writable and Portable Storage Devices
AC-19(2) - Access Control for Mobile Devices | Use of Personally Owned Portable Storage Devices
AC-19(3) - Access Control for Mobile Devices | Use of Portable Storage Devices with No Identifiable Owner
AC-19(4) - Access Control for Mobile Devices | Restrictions for Classified Information
AC-19(5) - Access Control for Mobile Devices | Full Device or Container-based Encryption
AC-20
AC-20(1) - Use of External Systems | Limits on Authorized Use
AC-20(2) - Use of External Systems | Portable Storage Devices — Restricted Use
AC-20(3) - Use of External Systems | Non-organizationally Owned Systems — Restricted Use
AC-20(4) - Use of External Systems | Network Accessible Storage Devices — Prohibited Use
AC-20(5) - Use of External Systems | Portable Storage Devices — Prohibited Use
AC-21
AC-21(1) - Information Sharing | Automated Decision Support
AC-21(2) - Information Sharing | Information Search and Retrieval
AC-22
AC-23
AC-24
AC-24(1) - Access Control Decisions | Transmit Access Authorization Information
AC-24(2) - Access Control Decisions | No User or Process Identity
AC-25
AT-1
AT-2
AT-2(1) - Literacy Training and Awareness | Practical Exercises
AT-2(2) - Literacy Training and Awareness | Insider Threat
AT-2(3) - Literacy Training and Awareness | Social Engineering and Mining
AT-2(4) - Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior
AT-2(5) - Literacy Training and Awareness | Advanced Persistent Threat
AT-2(6) - Literacy Training and Awareness | Cyber Threat Environment
AT-3
AT-3(1) - Role-based Training | Environmental Controls
AT-3(2) - Role-based Training | Physical Security Controls
AT-3(3) - Role-based Training | Practical Exercises
AT-3(4) - Role-based Training | Suspicious Communications and Anomalous System Behavior
AT-3(5) - Role-based Training | Processing Personally Identifiable Information
AT-4
AT-5
AT-6
AU-1
AU-2
AU-2(1) - Event Logging | Compilation of Audit Records from Multiple Sources
AU-2(2) - Event Logging | Selection of Audit Events by Component
AU-2(3) - Event Logging | Reviews and Updates
AU-2(4) - Event Logging | Privileged Functions
AU-3
AU-3(1) - Content of Audit Records | Additional Audit Information
AU-3(2) - Content of Audit Records | Centralized Management of Planned Audit Record Content
AU-3(3) - Content of Audit Records | Limit Personally Identifiable Information Elements
AU-4
AU-4(1) - Audit Log Storage Capacity | Transfer to Alternate Storage
AU-5
AU-5(1) - Response to Audit Logging Process Failures | Storage Capacity Warning
AU-5(2) - Response to Audit Logging Process Failures | Real-time Alerts
AU-5(3) - Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds
AU-5(4) - Response to Audit Logging Process Failures | Shutdown on Failure
AU-5(5) - Response to Audit Logging Process Failures | Alternate Audit Logging Capability
AU-6
AU-6(1) - Audit Record Review, Analysis, and Reporting | Automated Process Integration
AU-6(2) - Audit Record Review, Analysis, and Reporting | Automated Security Alerts
AU-6(3) - Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories
AU-6(4) - Audit Record Review, Analysis, and Reporting | Central Review and Analysis
AU-6(5) - Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records
AU-6(6) - Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring
AU-6(7) - Audit Record Review, Analysis, and Reporting | Permitted Actions
AU-6(8) - Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands
AU-6(9) - Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources
AU-6(10) - Audit Record Review, Analysis, and Reporting | Audit Level Adjustment
AU-7
AU-7(1) - Audit Record Reduction and Report Generation | Automatic Processing
AU-7(2) - Audit Record Reduction and Report Generation | Automatic Sort and Search
AU-8
AU-8(1) - Time Stamps | Synchronization with Authoritative Time Source
AU-8(2) - Time Stamps | Secondary Authoritative Time Source
AU-9
AU-9(1) - Protection of Audit Information | Hardware Write-once Media
AU-9(2) - Protection of Audit Information | Store on Separate Physical Systems or Components
AU-9(3) - Protection of Audit Information | Cryptographic Protection
AU-9(4) - Protection of Audit Information | Access by Subset of Privileged Users
AU-9(5) - Protection of Audit Information | Dual Authorization
AU-9(6) - Protection of Audit Information | Read-only Access
AU-9(7) - Protection of Audit Information | Store on Component with Different Operating System
AU-10
AU-10(1) - Non-repudiation | Association of Identities
AU-10(2) - Non-repudiation | Validate Binding of Information Producer Identity
AU-10(3) - Non-repudiation | Chain of Custody
AU-10(4) - Non-repudiation | Validate Binding of Information Reviewer Identity
AU-10(5) - Non-repudiation | Digital Signatures
AU-11
AU-11(1) - Audit Record Retention | Long-term Retrieval Capability
AU-12
AU-12(1) - Audit Record Generation | System-wide and Time-correlated Audit Trail
AU-12(2) - Audit Record Generation | Standardized Formats
AU-12(3) - Audit Record Generation | Changes by Authorized Individuals
AU-12(4) - Audit Record Generation | Query Parameter Audits of Personally Identifiable Information
AU-13
AU-13(1) - Monitoring for Information Disclosure | Use of Automated Tools
AU-13(2) - Monitoring for Information Disclosure | Review of Monitored Sites
AU-13(3) - Monitoring for Information Disclosure | Unauthorized Replication of Information
AU-14
AU-14(1) - Session Audit | System Start-up
AU-14(2) - Session Audit | Capture and Record Content
AU-14(3) - Session Audit | Remote Viewing and Listening
AU-15
AU-16
AU-16(1) - Cross-organizational Audit Logging | Identity Preservation
AU-16(2) - Cross-organizational Audit Logging | Sharing of Audit Information
AU-16(3) - Cross-organizational Audit Logging | Disassociability
CA-1
CA-2
CA-2(1) - Control Assessments | Independent Assessors
CA-2(2) - Control Assessments | Specialized Assessments
CA-2(3) - Control Assessments | Leveraging Results from External Organizations
CA-3
CA-3(1) - Information Exchange | Unclassified National Security System Connections
CA-3(2) - Information Exchange | Classified National Security System Connections
CA-3(3) - Information Exchange | Unclassified Non-national Security System Connections
CA-3(4) - Information Exchange | Connections to Public Networks
CA-3(5) - Information Exchange | Restrictions on External System Connections
CA-3(6) - Information Exchange | Transfer Authorizations
CA-3(7) - Information Exchange | Transitive Information Exchanges
CA-4
CA-5
CA-5(1) - Plan of Action and Milestones | Automation Support for Accuracy and Currency
CA-6
CA-6(1) - Authorization | Joint Authorization — Intra-organization
CA-6(2) - Authorization | Joint Authorization — Inter-organization
CA-7
CA-7(1) - Continuous Monitoring | Independent Assessment
CA-7(2) - Continuous Monitoring | Types of Assessments
CA-7(3) - Continuous Monitoring | Trend Analyses
CA-7(4) - Continuous Monitoring | Risk Monitoring
CA-7(5) - Continuous Monitoring | Consistency Analysis
CA-7(6) - Continuous Monitoring | Automation Support for Monitoring
CA-8
CA-8(1) - Penetration Testing | Independent Penetration Testing Agent or Team
CA-8(2) - Penetration Testing | Red Team Exercises
CA-8(3) - Penetration Testing | Facility Penetration Testing
CA-9
CA-9(1) - Internal System Connections | Compliance Checks
CM-1
CM-2
CM-2(1) - Baseline Configuration | Reviews and Updates
CM-2(2) - Baseline Configuration | Automation Support for Accuracy and Currency
CM-2(3) - Baseline Configuration | Retention of Previous Configurations
CM-2(4) - Baseline Configuration | Unauthorized Software
CM-2(5) - Baseline Configuration | Authorized Software
CM-2(6) - Baseline Configuration | Development and Test Environments
CM-2(7) - Baseline Configuration | Configure Systems and Components for High-risk Areas
CM-3
CM-3(1) - Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes
CM-3(2) - Configuration Change Control | Testing, Validation, and Documentation of Changes
CM-3(3) - Configuration Change Control | Automated Change Implementation
CM-3(4) - Configuration Change Control | Security and Privacy Representatives
CM-3(5) - Configuration Change Control | Automated Security Response
CM-3(6) - Configuration Change Control | Cryptography Management
CM-3(7) - Configuration Change Control | Review System Changes
CM-3(8) - Configuration Change Control | Prevent or Restrict Configuration Changes
CM-4
CM-4(1) - Impact Analyses | Separate Test Environments
CM-4(2) - Impact Analyses | Verification of Controls
CM-5
CM-5(1) - Access Restrictions for Change | Automated Access Enforcement and Audit Records
CM-5(2) - Access Restrictions for Change | Review System Changes
CM-5(3) - Access Restrictions for Change | Signed Components
CM-5(4) - Access Restrictions for Change | Dual Authorization
CM-5(5) - Access Restrictions for Change | Privilege Limitation for Production and Operation
CM-5(6) - Access Restrictions for Change | Limit Library Privileges
CM-5(7) - Access Restrictions for Change | Automatic Implementation of Security Safeguards
CM-6
CM-6(1) - Configuration Settings | Automated Management, Application, and Verification
CM-6(2) - Configuration Settings | Respond to Unauthorized Changes
CM-6(3) - Configuration Settings | Unauthorized Change Detection
CM-6(4) - Configuration Settings | Conformance Demonstration
CM-7
CM-7(1) - Least Functionality | Periodic Review
CM-7(2) - Least Functionality | Prevent Program Execution
CM-7(3) - Least Functionality | Registration Compliance
CM-7(4) - Least Functionality | Unauthorized Software
CM-7(5) - Least Functionality | Authorized Software
CM-7(6) - Least Functionality | Confined Environments with Limited Privileges
CM-7(7) - Least Functionality | Code Execution in Protected Environments
CM-7(8) - Least Functionality | Binary or Machine Executable Code
CM-7(9) - Least Functionality | Prohibiting The Use of Unauthorized Hardware
CM-8
CM-8(1) - System Component Inventory | Updates During Installation and Removal
CM-8(2) - System Component Inventory | Automated Maintenance
CM-8(3) - System Component Inventory | Automated Unauthorized Component Detection
CM-8(4) - System Component Inventory | Accountability Information
CM-8(5) - System Component Inventory | No Duplicate Accounting of Components
CM-8(6) - System Component Inventory | Assessed Configurations and Approved Deviations
CM-8(7) - System Component Inventory | Centralized Repository
CM-8(8) - System Component Inventory | Automated Location Tracking
CM-8(9) - System Component Inventory | Assignment of Components to Systems
CM-9
CM-9(1) - Configuration Management Plan | Assignment of Responsibility
CM-10
CM-10(1) - Software Usage Restrictions | Open-source Software
CM-11
CM-11(1) - User-installed Software | Alerts for Unauthorized Installations
CM-11(2) - User-installed Software | Software Installation with Privileged Status
CM-11(3) - User-installed Software | Automated Enforcement and Monitoring
CM-12
CM-12(1) - Information Location | Automated Tools to Support Information Location
CM-13
CM-14
CP-1
CP-2
CP-2(1) - Contingency Plan | Coordinate with Related Plans
CP-2(2) - Contingency Plan | Capacity Planning
CP-2(3) - Contingency Plan | Resume Mission and Business Functions
CP-2(4) - Contingency Plan | Resume All Mission and Business Functions
CP-2(5) - Contingency Plan | Continue Mission and Business Functions
CP-2(6) - Contingency Plan | Alternate Processing and Storage Sites
CP-2(7) - Contingency Plan | Coordinate with External Service Providers
CP-2(8) - Contingency Plan | Identify Critical Assets
CP-3
CP-3(1) - Contingency Training | Simulated Events
CP-3(2) - Contingency Training | Mechanisms Used in Training Environments
CP-4
CP-4(1) - Contingency Plan Testing | Coordinate with Related Plans
CP-4(2) - Contingency Plan Testing | Alternate Processing Site
CP-4(3) - Contingency Plan Testing | Automated Testing
CP-4(4) - Contingency Plan Testing | Full Recovery and Reconstitution
CP-4(5) - Contingency Plan Testing | Self-challenge
CP-5
CP-6
CP-6(1) - Alternate Storage Site | Separation from Primary Site
CP-6(2) - Alternate Storage Site | Recovery Time and Recovery Point Objectives
CP-6(3) - Alternate Storage Site | Accessibility
CP-7
CP-7(1) - Alternate Processing Site | Separation from Primary Site
CP-7(2) - Alternate Processing Site | Accessibility
CP-7(3) - Alternate Processing Site | Priority of Service
CP-7(4) - Alternate Processing Site | Preparation for Use
CP-7(5) - Alternate Processing Site | Equivalent Information Security Safeguards
CP-7(6) - Alternate Processing Site | Inability to Return to Primary Site
CP-8
CP-8(1) - Telecommunications Services | Priority of Service Provisions
CP-8(2) - Telecommunications Services | Single Points of Failure
CP-8(3) - Telecommunications Services | Separation of Primary and Alternate Providers
CP-8(4) - Telecommunications Services | Provider Contingency Plan
CP-8(5) - Telecommunications Services | Alternate Telecommunication Service Testing
CP-9
CP-9(1) - System Backup | Testing for Reliability and Integrity
CP-9(2) - System Backup | Test Restoration Using Sampling
CP-9(3) - System Backup | Separate Storage for Critical Information
CP-9(4) - System Backup | Protection from Unauthorized Modification
CP-9(5) - System Backup | Transfer to Alternate Storage Site
CP-9(6) - System Backup | Redundant Secondary System
CP-9(7) - System Backup | Dual Authorization
CP-9(8) - System Backup | Cryptographic Protection
CP-10
CP-10(1) - System Recovery and Reconstitution | Contingency Plan Testing
CP-10(2) - System Recovery and Reconstitution | Transaction Recovery
CP-10(3) - System Recovery and Reconstitution | Compensating Security Controls
CP-10(4) - System Recovery and Reconstitution | Restore Within Time Period
CP-10(5) - System Recovery and Reconstitution | Failover Capability
CP-10(6) - System Recovery and Reconstitution | Component Protection
CP-11
CP-12
CP-13
IA-1
IA-2
IA-2(1) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts
IA-2(2) - Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts
IA-2(3) - Identification and Authentication (organizational Users) | Local Access to Privileged Accounts
IA-2(4) - Identification and Authentication (organizational Users) | Local Access to Non-privileged Accounts
IA-2(5) - Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication
IA-2(6) - Identification and Authentication (organizational Users) | Access to Accounts — Separate Device
IA-2(7) - Identification and Authentication (organizational Users) | Access to Non-privileged Accounts — Separate Device
IA-2(8) - Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant
IA-2(9) - Identification and Authentication (organizational Users) | Network Access to Non-privileged Accounts — Replay Resistant
IA-2(10) - Identification and Authentication (organizational Users) | Single Sign-on
IA-2(11) - Identification and Authentication (organizational Users) | Remote Access — Separate Device
IA-2(12) - Identification and Authentication (organizational Users) | Acceptance of PIV Credentials
IA-2(13) - Identification and Authentication (organizational Users) | Out-of-band Authentication
IA-3
IA-3(1) - Device Identification and Authentication | Cryptographic Bidirectional Authentication
IA-3(2) - Device Identification and Authentication | Cryptographic Bidirectional Network Authentication
IA-3(3) - Device Identification and Authentication | Dynamic Address Allocation
IA-3(4) - Device Identification and Authentication | Device Attestation
IA-4
IA-4(1) - Identifier Management | Prohibit Account Identifiers as Public Identifiers
IA-4(2) - Identifier Management | Supervisor Authorization
IA-4(3) - Identifier Management | Multiple Forms of Certification
IA-4(4) - Identifier Management | Identify User Status
IA-4(5) - Identifier Management | Dynamic Management
IA-4(6) - Identifier Management | Cross-organization Management
IA-4(7) - Identifier Management | In-person Registration
IA-4(8) - Identifier Management | Pairwise Pseudonymous Identifiers
IA-4(9) - Identifier Management | Attribute Maintenance and Protection
IA-5
IA-5(1) - Authenticator Management | Password-based Authentication
IA-5(2) - Authenticator Management | Public Key-based Authentication
IA-5(3) - Authenticator Management | In-person or Trusted External Party Registration
IA-5(4) - Authenticator Management | Automated Support for Password Strength Determination
IA-5(5) - Authenticator Management | Change Authenticators Prior to Delivery
IA-5(6) - Authenticator Management | Protection of Authenticators
IA-5(7) - Authenticator Management | No Embedded Unencrypted Static Authenticators
IA-5(8) - Authenticator Management | Multiple System Accounts
IA-5(9) - Authenticator Management | Federated Credential Management
IA-5(10) - Authenticator Management | Dynamic Credential Binding
IA-5(11) - Authenticator Management | Hardware Token-based Authentication
IA-5(12) - Authenticator Management | Biometric Authentication Performance
IA-5(13) - Authenticator Management | Expiration of Cached Authenticators
IA-5(14) - Authenticator Management | Managing Content of PKI Trust Stores
IA-5(15) - Authenticator Management | Gsa-approved Products and Services
IA-5(16) - Authenticator Management | In-person or Trusted External Party Authenticator Issuance
IA-5(17) - Authenticator Management | Presentation Attack Detection for Biometric Authenticators
IA-5(18) - Authenticator Management | Password Managers
IA-6
IA-7
IA-8
IA-8(1) - Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies
IA-8(2) - Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators
IA-8(3) - Identification and Authentication (non-organizational Users) | Use of Ficam-approved Products
IA-8(4) - Identification and Authentication (non-organizational Users) | Use of Defined Profiles
IA-8(5) - Identification and Authentication (non-organizational Users) | Acceptance of PIV-I Credentials
IA-8(6) - Identification and Authentication (non-organizational Users) | Disassociability
IA-9
IA-9(1) - Service Identification and Authentication | Information Exchange
IA-9(2) - Service Identification and Authentication | Transmission of Decisions
IA-10
IA-11
IA-12
IA-12(1) - Identity Proofing | Supervisor Authorization
IA-12(2) - Identity Proofing | Identity Evidence
IA-12(3) - Identity Proofing | Identity Evidence Validation and Verification
IA-12(4) - Identity Proofing | In-person Validation and Verification
IA-12(5) - Identity Proofing | Address Confirmation
IA-12(6) - Identity Proofing | Accept Externally-proofed Identities
IR-1
IR-2
IR-2(1) - Incident Response Training | Simulated Events
IR-2(2) - Incident Response Training | Automated Training Environments
IR-2(3) - Incident Response Training | Breach
IR-3
IR-3(1) - Incident Response Testing | Automated Testing
IR-3(2) - Incident Response Testing | Coordination with Related Plans
IR-3(3) - Incident Response Testing | Continuous Improvement
IR-4
IR-4(1) - Incident Handling | Automated Incident Handling Processes
IR-4(2) - Incident Handling | Dynamic Reconfiguration
IR-4(3) - Incident Handling | Continuity of Operations
IR-4(4) - Incident Handling | Information Correlation
IR-4(5) - Incident Handling | Automatic Disabling of System
IR-4(6) - Incident Handling | Insider Threats
IR-4(7) - Incident Handling | Insider Threats — Intra-organization Coordination
IR-4(8) - Incident Handling | Correlation with External Organizations
IR-4(9) - Incident Handling | Dynamic Response Capability
IR-4(10) - Incident Handling | Supply Chain Coordination
IR-4(11) - Incident Handling | Integrated Incident Response Team
IR-4(12) - Incident Handling | Malicious Code and Forensic Analysis
IR-4(13) - Incident Handling | Behavior Analysis
IR-4(14) - Incident Handling | Security Operations Center
IR-4(15) - Incident Handling | Public Relations and Reputation Repair
IR-5
IR-5(1) - Incident Monitoring | Automated Tracking, Data Collection, and Analysis
IR-6
IR-6(1) - Incident Reporting | Automated Reporting
IR-6(2) - Incident Reporting | Vulnerabilities Related to Incidents
IR-6(3) - Incident Reporting | Supply Chain Coordination
IR-7
IR-7(1) - Incident Response Assistance | Automation Support for Availability of Information and Support
IR-7(2) - Incident Response Assistance | Coordination with External Providers
IR-8
IR-8(1) - Incident Response Plan | Breaches
IR-9
IR-9(1) - Information Spillage Response | Responsible Personnel
IR-9(2) - Information Spillage Response | Training
IR-9(3) - Information Spillage Response | Post-spill Operations
IR-9(4) - Information Spillage Response | Exposure to Unauthorized Personnel
IR-10
MA-1
MA-2
MA-2(1) - Controlled Maintenance | Record Content
MA-2(2) - Controlled Maintenance | Automated Maintenance Activities
MA-3
MA-3(1) - Maintenance Tools | Inspect Tools
MA-3(2) - Maintenance Tools | Inspect Media
MA-3(3) - Maintenance Tools | Prevent Unauthorized Removal
MA-3(4) - Maintenance Tools | Restricted Tool Use
MA-3(5) - Maintenance Tools | Execution with Privilege
MA-3(6) - Maintenance Tools | Software Updates and Patches
MA-4
MA-4(1) - Nonlocal Maintenance | Logging and Review
MA-4(2) - Nonlocal Maintenance | Logically separated communications paths.
MA-4(3) - Nonlocal Maintenance | Comparable Security and Sanitization
MA-4(4) - Nonlocal Maintenance | Authentication and Separation of Maintenance Sessions
MA-4(5) - Nonlocal Maintenance | Approvals and Notifications
MA-4(6) - Nonlocal Maintenance | Cryptographic Protection
MA-4(7) - Nonlocal Maintenance | Disconnect Verification
MA-5
MA-5(1) - Maintenance Personnel | Individuals Without Appropriate Access
MA-5(2) - Maintenance Personnel | Security Clearances for Classified Systems
MA-5(3) - Maintenance Personnel | Citizenship Requirements for Classified Systems
MA-5(4) - Maintenance Personnel | Foreign Nationals
MA-5(5) - Maintenance Personnel | Non-system Maintenance
MA-6
MA-6(1) - Timely Maintenance | Preventive Maintenance
MA-6(2) - Timely Maintenance | Predictive Maintenance
MA-6(3) - Timely Maintenance | Automated Support for Predictive Maintenance
MA-7
MP-1
MP-2
MP-2(1) - Media Access | Automated Restricted Access
MP-2(2) - Media Access | Cryptographic Protection
MP-3
MP-4
MP-4(1) - Media Storage | Cryptographic Protection
MP-4(2) - Media Storage | Automated Restricted Access
MP-5
MP-5(1) - Media Transport | Protection Outside of Controlled Areas
MP-5(2) - Media Transport | Documentation of Activities
MP-5(3) - Media Transport | Custodians
MP-5(4) - Media Transport | Cryptographic Protection
MP-6
MP-6(1) - Media Sanitization | Review, Approve, Track, Document, and Verify
MP-6(2) - Media Sanitization | Equipment Testing
MP-6(3) - Media Sanitization | Nondestructive Techniques
MP-6(4) - Media Sanitization | Controlled Unclassified Information
MP-6(5) - Media Sanitization | Classified Information
MP-6(6) - Media Sanitization | Media Destruction
MP-6(7) - Media Sanitization | Dual Authorization
MP-6(8) - Media Sanitization | Remote Purging or Wiping of Information
MP-7
MP-7(1) - Media Use | Prohibit Use Without Owner
MP-7(2) - Media Use | Prohibit Use of Sanitization-resistant Media
MP-8
MP-8(1) - Media Downgrading | Documentation of Process
MP-8(2) - Media Downgrading | Equipment Testing
MP-8(3) - Media Downgrading | Controlled Unclassified Information
MP-8(4) - Media Downgrading | Classified Information
PE-1
PE-2
PE-2(1) - Physical Access Authorizations | Access by Position or Role
PE-2(2) - Physical Access Authorizations | Two Forms of Identification
PE-2(3) - Physical Access Authorizations | Restrict Unescorted Access
PE-3
PE-3(1) - Physical Access Control | System Access
PE-3(2) - Physical Access Control | Facility and Systems
PE-3(3) - Physical Access Control | Continuous Guards
PE-3(4) - Physical Access Control | Lockable Casings
PE-3(5) - Physical Access Control | Tamper Protection
PE-3(6) - Physical Access Control | Facility Penetration Testing
PE-3(7) - Physical Access Control | Physical Barriers
PE-3(8) - Physical Access Control | Access Control Vestibules
PE-4
PE-5
PE-5(1) - Access Control for Output Devices | Access to Output by Authorized Individuals
PE-5(2) - Access Control for Output Devices | Link to Individual Identity
PE-5(3) - Access Control for Output Devices | Marking Output Devices
PE-6
PE-6(1) - Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment
PE-6(2) - Monitoring Physical Access | Automated Intrusion Recognition and Responses
PE-6(3) - Monitoring Physical Access | Video Surveillance
PE-6(4) - Monitoring Physical Access | Monitoring Physical Access to Systems
PE-7
PE-8
PE-8(1) - Visitor Access Records | Automated Records Maintenance and Review
PE-8(2) - Visitor Access Records | Physical Access Records
PE-8(3) - Visitor Access Records | Limit Personally Identifiable Information Elements
PE-9
PE-9(1) - Power Equipment and Cabling | Redundant Cabling
PE-9(2) - Power Equipment and Cabling | Automatic Voltage Controls
PE-10
PE-10(1) - Emergency Shutoff | Accidental and Unauthorized Activation
PE-11
PE-11(1) - Emergency Power | Alternate Power Supply — Minimal Operational Capability
PE-11(2) - Emergency Power | Alternate Power Supply — Self-contained
PE-12
PE-12(1) - Emergency Lighting | Essential Mission and Business Functions
PE-13
PE-13(1) - Fire Protection | Detection Systems – Automatic Activation and Notification
PE-13(2) - Fire Protection | Suppression Systems – Automatic Activation and Notification
PE-13(3) - Fire Protection | Automatic Fire Suppression
PE-13(4) - Fire Protection | Inspections
PE-14
PE-14(1) - Environmental Controls | Automatic Controls
PE-14(2) - Environmental Controls | Monitoring with Alarms and Notifications
PE-15
PE-15(1) - Water Damage Protection | Automation Support
PE-16
PE-17
PE-18
PE-18(1) - Location of System Components | Facility Site
PE-19
PE-19(1) - Information Leakage | National Emissions and Tempest Policies and Procedures
PE-20
PE-21
PE-22
PE-23
PL-1
PL-2
PL-2(1) - System Security and Privacy Plans | Concept of Operations
PL-2(2) - System Security and Privacy Plans | Functional Architecture
PL-2(3) - System Security and Privacy Plans | Plan and Coordinate with Other Organizational Entities
PL-3
PL-4
PL-4(1) - Rules of Behavior | Social Media and External Site/application Usage Restrictions
PL-5
PL-6
PL-7
PL-8
PL-8(1) - Security and Privacy Architectures | Defense in Depth
PL-8(2) - Security and Privacy Architectures | Supplier Diversity
PL-9
PL-10
PL-11
PM-1
PM-2
PM-3
PM-4
PM-5
PM-5(1) - System Inventory | Inventory of Personally Identifiable Information
PM-6
PM-7
PM-7(1) - Enterprise Architecture | Offloading
PM-8
PM-9
PM-10
PM-11
PM-12
PM-13
PM-14
PM-15
PM-16
PM-16(1) - Threat Awareness Program | Automated Means for Sharing Threat Intelligence
PM-17
PM-18
PM-19
PM-20
PM-20(1) - Dissemination of Privacy Program Information | Privacy Policies on Websites, Applications, and Digital Services
PM-21
PM-22
PM-23
PM-24
PM-25
PM-26
PM-27
PM-28
PM-29
PM-30
PM-30(1) - Supply Chain Risk Management Strategy | Suppliers of Critical or Mission-essential Items
PM-31
PM-32
PS-1
PS-2
PS-3
PS-3(1) - Personnel Screening | Classified Information
PS-3(2) - Personnel Screening | Formal Indoctrination
PS-3(3) - Personnel Screening | Information with Special Protective Measures
PS-3(4) - Personnel Screening | Citizenship Requirements
PS-4
PS-4(1) - Personnel Termination | Post-employment Requirements
PS-4(2) - Personnel Termination | Automated Actions
PS-5
PS-6
PS-6(1) - Access Agreements | Information Requiring Special Protection
PS-6(2) - Access Agreements | Classified Information Requiring Special Protection
PS-6(3) - Access Agreements | Post-employment Requirements
PS-7
PS-8
PS-9
PT-1
PT-2
PT-2(1) - Authority to Process Personally Identifiable Information | Data Tagging
PT-2(2) - Authority to Process Personally Identifiable Information | Automation
PT-3
PT-3(1) - Personally Identifiable Information Processing Purposes | Data Tagging
PT-3(2) - Personally Identifiable Information Processing Purposes | Automation
PT-4
PT-4(1) - Consent | Tailored Consent
PT-4(2) - Consent | Just-in-time Consent
PT-4(3) - Consent | Revocation
PT-5
PT-5(1) - Privacy Notice | Just-in-time Notice
PT-5(2) - Privacy Notice | Privacy Act Statements
PT-6
PT-6(1) - System of Records Notice | Routine Uses
PT-6(2) - System of Records Notice | Exemption Rules
PT-7
PT-7(1) - Specific Categories of Personally Identifiable Information | Social Security Numbers
PT-7(2) - Specific Categories of Personally Identifiable Information | First Amendment Information
PT-8
RA-1
RA-2
RA-2(1) - Security Categorization | Impact-level Prioritization
RA-3
RA-3(1) - Risk Assessment | Supply Chain Risk Assessment
RA-3(2) - Risk Assessment | Use of All-source Intelligence
RA-3(3) - Risk Assessment | Dynamic Threat Awareness
RA-3(4) - Risk Assessment | Predictive Cyber Analytics
RA-4
RA-5
RA-5(1) - Vulnerability Monitoring and Scanning | Update Tool Capability
RA-5(2) - Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned
RA-5(3) - Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage
RA-5(4) - Vulnerability Monitoring and Scanning | Discoverable Information
RA-5(5) - Vulnerability Monitoring and Scanning | Privileged Access
RA-5(6) - Vulnerability Monitoring and Scanning | Automated Trend Analyses
RA-5(7) - Vulnerability Monitoring and Scanning | Automated Detection and Notification of Unauthorized Components
RA-5(8) - Vulnerability Monitoring and Scanning | Review Historic Audit Logs
RA-5(9) - Vulnerability Monitoring and Scanning | Penetration Testing and Analyses
RA-5(10) - Vulnerability Monitoring and Scanning | Correlate Scanning Information
RA-5(11) - Vulnerability Monitoring and Scanning | Public Disclosure Program
RA-6
RA-7
RA-8
RA-9
RA-10
SA-1
SA-2
SA-3
SA-3(1) - System Development Life Cycle | Manage Preproduction Environment
SA-3(2) - System Development Life Cycle | Use of Live or Operational Data
SA-3(3) - System Development Life Cycle | Technology Refresh
SA-4
SA-4(1) - Acquisition Process | Functional Properties of Controls
SA-4(2) - Acquisition Process | Design and Implementation Information for Controls
SA-4(3) - Acquisition Process | Development Methods, Techniques, and Practices
SA-4(4) - Acquisition Process | Assignment of Components to Systems
SA-4(5) - Acquisition Process | System, Component, and Service Configurations
SA-4(6) - Acquisition Process | Use of Information Assurance Products
SA-4(7) - Acquisition Process | Niap-approved Protection Profiles
SA-4(8) - Acquisition Process | Continuous Monitoring Plan for Controls
SA-4(9) - Acquisition Process | Functions, Ports, Protocols, and Services in Use
SA-4(10) - Acquisition Process | Use of Approved PIV Products
SA-4(11) - Acquisition Process | System of Records
SA-4(12) - Acquisition Process | Data Ownership
SA-5
SA-5(1) - System Documentation | Functional Properties of Security Controls
SA-5(2) - System Documentation | Security-relevant External System Interfaces
SA-5(3) - System Documentation | High-level Design
SA-5(4) - System Documentation | Low-level Design
SA-5(5) - System Documentation | Source Code
SA-6
SA-7
SA-8
SA-8(1) - Security and Privacy Engineering Principles | Clear Abstractions
SA-8(2) - Security and Privacy Engineering Principles | Least Common Mechanism
SA-8(3) - Security and Privacy Engineering Principles | Modularity and Layering
SA-8(4) - Security and Privacy Engineering Principles | Partially Ordered Dependencies
SA-8(5) - Security and Privacy Engineering Principles | Efficiently Mediated Access
SA-8(6) - Security and Privacy Engineering Principles | Minimized Sharing
SA-8(7) - Security and Privacy Engineering Principles | Reduced Complexity
SA-8(8) - Security and Privacy Engineering Principles | Secure Evolvability
SA-8(9) - Security and Privacy Engineering Principles | Trusted Components
SA-8(10) - Security and Privacy Engineering Principles | Hierarchical Trust
SA-8(11) - Security and Privacy Engineering Principles | Inverse Modification Threshold
SA-8(12) - Security and Privacy Engineering Principles | Hierarchical Protection
SA-8(13) - Security and Privacy Engineering Principles | Minimized Security Elements
SA-8(14) - Security and Privacy Engineering Principles | Least Privilege
SA-8(15) - Security and Privacy Engineering Principles | Predicate Permission
SA-8(16) - Security and Privacy Engineering Principles | Self-reliant Trustworthiness
SA-8(17) - Security and Privacy Engineering Principles | Secure Distributed Composition
SA-8(18) - Security and Privacy Engineering Principles | Trusted Communications Channels
SA-8(19) - Security and Privacy Engineering Principles | Continuous Protection
SA-8(20) - Security and Privacy Engineering Principles | Secure Metadata Management
SA-8(21) - Security and Privacy Engineering Principles | Self-analysis
SA-8(22) - Security and Privacy Engineering Principles | Accountability and Traceability
SA-8(23) - Security and Privacy Engineering Principles | Secure Defaults
SA-8(24) - Security and Privacy Engineering Principles | Secure Failure and Recovery
SA-8(25) - Security and Privacy Engineering Principles | Economic Security
SA-8(26) - Security and Privacy Engineering Principles | Performance Security
SA-8(27) - Security and Privacy Engineering Principles | Human Factored Security
SA-8(28) - Security and Privacy Engineering Principles | Acceptable Security
SA-8(29) - Security and Privacy Engineering Principles | Repeatable and Documented Procedures
SA-8(30) - Security and Privacy Engineering Principles | Procedural Rigor
SA-8(31) - Security and Privacy Engineering Principles | Secure System Modification
SA-8(32) - Security and Privacy Engineering Principles | Sufficient Documentation
SA-8(33) - Security and Privacy Engineering Principles | Minimization
SA-9
SA-9(1) - External System Services | Risk Assessments and Organizational Approvals
SA-9(2) - External System Services | Identification of Functions, Ports, Protocols, and Services
SA-9(3) - External System Services | Establish and Maintain Trust Relationship with Providers
SA-9(4) - External System Services | Consistent Interests of Consumers and Providers
SA-9(5) - External System Services | Processing, Storage, and Service Location
SA-9(6) - External System Services | Organization-controlled Cryptographic Keys
SA-9(7) - External System Services | Organization-controlled Integrity Checking
SA-9(8) - External System Services | Processing and Storage Location — U.s. Jurisdiction
SA-10
SA-10(1) - Developer Configuration Management | Software and Firmware Integrity Verification
SA-10(2) - Developer Configuration Management | Alternative Configuration Management
SA-10(3) - Developer Configuration Management | Hardware Integrity Verification
SA-10(4) - Developer Configuration Management | Trusted Generation
SA-10(5) - Developer Configuration Management | Mapping Integrity for Version Control
SA-10(6) - Developer Configuration Management | Trusted Distribution
SA-10(7) - Developer Configuration Management | Security and Privacy Representatives
SA-11
SA-11(1) - Developer Testing and Evaluation | Static Code Analysis
SA-11(2) - Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses
SA-11(3) - Developer Testing and Evaluation | Independent Verification of Assessment Plans and Evidence
SA-11(4) - Developer Testing and Evaluation | Manual Code Reviews
SA-11(5) - Developer Testing and Evaluation | Penetration Testing
SA-11(6) - Developer Testing and Evaluation | Attack Surface Reviews
SA-11(7) - Developer Testing and Evaluation | Verify Scope of Testing and Evaluation
SA-11(8) - Developer Testing and Evaluation | Dynamic Code Analysis
SA-11(9) - Developer Testing and Evaluation | Interactive Application Security Testing
SA-12
SA-12(1) - Supply Chain Protection | Acquisition Strategies / Tools / Methods
SA-12(2) - Supply Chain Protection | Supplier Reviews
SA-12(3) - Supply Chain Protection | Trusted Shipping and Warehousing
SA-12(4) - Supply Chain Protection | Diversity of Suppliers
SA-12(5) - Supply Chain Protection | Limitation of Harm
SA-12(6) - Supply Chain Protection | Minimizing Procurement Time
SA-12(7) - Supply Chain Protection | Assessments Prior to Selection / Acceptance / Update
SA-12(8) - Supply Chain Protection | Use of All-source Intelligence
SA-12(9) - Supply Chain Protection | Operations Security
SA-12(10) - Supply Chain Protection | Validate as Genuine and Not Altered
SA-12(11) - Supply Chain Protection | Penetration Testing / Analysis of Elements, Processes, and Actors
SA-12(12) - Supply Chain Protection | Inter-organizational Agreements
SA-12(13) - Supply Chain Protection | Critical Information System Components
SA-12(14) - Supply Chain Protection | Identity and Traceability
SA-12(15) - Supply Chain Protection | Processes to Address Weaknesses or Deficiencies
SA-13
SA-14
SA-14(1) - Criticality Analysis | Critical Components with No Viable Alternative Sourcing
SA-15
SA-15(1) - Development Process, Standards, and Tools | Quality Metrics
SA-15(2) - Development Process, Standards, and Tools | Security and Privacy Tracking Tools
SA-15(3) - Development Process, Standards, and Tools | Criticality Analysis
SA-15(4) - Development Process, Standards, and Tools | Threat Modeling and Vulnerability Analysis
SA-15(5) - Development Process, Standards, and Tools | Attack Surface Reduction
SA-15(6) - Development Process, Standards, and Tools | Continuous Improvement
SA-15(7) - Development Process, Standards, and Tools | Automated Vulnerability Analysis
SA-15(8) - Development Process, Standards, and Tools | Reuse of Threat and Vulnerability Information
SA-15(9) - Development Process, Standards, and Tools | Use of Live Data
SA-15(10) - Development Process, Standards, and Tools | Incident Response Plan
SA-15(11) - Development Process, Standards, and Tools | Archive System or Component
SA-15(12) - Development Process, Standards, and Tools | Minimize Personally Identifiable Information
SA-16
SA-17
SA-17(1) - Developer Security and Privacy Architecture and Design | Formal Policy Model
SA-17(2) - Developer Security and Privacy Architecture and Design | Security-relevant Components
SA-17(3) - Developer Security and Privacy Architecture and Design | Formal Correspondence
SA-17(4) - Developer Security and Privacy Architecture and Design | Informal Correspondence
SA-17(5) - Developer Security and Privacy Architecture and Design | Conceptually Simple Design
SA-17(6) - Developer Security and Privacy Architecture and Design | Structure for Testing
SA-17(7) - Developer Security and Privacy Architecture and Design | Structure for Least Privilege
SA-17(8) - Developer Security and Privacy Architecture and Design | Orchestration
SA-17(9) - Developer Security and Privacy Architecture and Design | Design Diversity
SA-18
SA-18(1) - Tamper Resistance and Detection | Multiple Phases of System Development Life Cycle
SA-18(2) - Tamper Resistance and Detection | Inspection of Systems or Components
SA-19
SA-19(1) - Component Authenticity | Anti-counterfeit Training
SA-19(2) - Component Authenticity | Configuration Control for Component Service and Repair
SA-19(3) - Component Authenticity | Component Disposal
SA-19(4) - Component Authenticity | Anti-counterfeit Scanning
SA-20
SA-21
SA-21(1) - Developer Screening | Validation of Screening
SA-22
SA-22(1) - Unsupported System Components | Alternative Sources for Continued Support
SA-23
SC-1
SC-2
SC-2(1) - Separation of System and User Functionality | Interfaces for Non-privileged Users
SC-2(2) - Separation of System and User Functionality | Disassociability
SC-3
SC-3(1) - Security Function Isolation | Hardware Separation
SC-3(2) - Security Function Isolation | Access and Flow Control Functions
SC-3(3) - Security Function Isolation | Minimize Nonsecurity Functionality
SC-3(4) - Security Function Isolation | Module Coupling and Cohesiveness
SC-3(5) - Security Function Isolation | Layered Structures
SC-4
SC-4(1) - Information in Shared System Resources | Security Levels
SC-4(2) - Information in Shared System Resources | Multilevel or Periods Processing
SC-5
SC-5(1) - Denial-of-service Protection | Restrict Ability to Attack Other Systems
SC-5(2) - Denial-of-service Protection | Capacity, Bandwidth, and Redundancy
SC-5(3) - Denial-of-service Protection | Detection and Monitoring
SC-6
SC-7
SC-7(1) - Boundary Protection | Physically Separated Subnetworks
SC-7(2) - Boundary Protection | Public Access
SC-7(3) - Boundary Protection | Access Points
SC-7(4) - Boundary Protection | External Telecommunications Services
SC-7(5) - Boundary Protection | Deny by Default — Allow by Exception
SC-7(6) - Boundary Protection | Response to Recognized Failures
SC-7(7) - Boundary Protection | Split Tunneling for Remote Devices
SC-7(8) - Boundary Protection | Route Traffic to Authenticated Proxy Servers
SC-7(9) - Boundary Protection | Restrict Threatening Outgoing Communications Traffic
SC-7(10) - Boundary Protection | Prevent Exfiltration
SC-7(11) - Boundary Protection | Restrict Incoming Communications Traffic
SC-7(12) - Boundary Protection | Host-based Protection
SC-7(13) - Boundary Protection | Isolation of Security Tools, Mechanisms, and Support Components
SC-7(14) - Boundary Protection | Protect Against Unauthorized Physical Connections
SC-7(15) - Boundary Protection | Networked Privileged Accesses
SC-7(16) - Boundary Protection | Prevent Discovery of System Components
SC-7(17) - Boundary Protection | Automated Enforcement of Protocol Formats
SC-7(18) - Boundary Protection | Fail Secure
SC-7(19) - Boundary Protection | Block Communication from Non-organizationally Configured Hosts
SC-7(20) - Boundary Protection | Dynamic Isolation and Segregation
SC-7(21) - Boundary Protection | Isolation of System Components
SC-7(22) - Boundary Protection | Separate Subnets for Connecting to Different Security Domains
SC-7(23) - Boundary Protection | Disable Sender Feedback on Protocol Validation Failure
SC-7(24) - Boundary Protection | Personally Identifiable Information
SC-7(25) - Boundary Protection | Unclassified National Security System Connections
SC-7(26) - Boundary Protection | Classified National Security System Connections
SC-7(27) - Boundary Protection | Unclassified Non-national Security System Connections
SC-7(28) - Boundary Protection | Connections to Public Networks
SC-7(29) - Boundary Protection | Separate Subnets to Isolate Functions
SC-8
SC-8(1) - Transmission Confidentiality and Integrity | Cryptographic Protection
SC-8(2) - Transmission Confidentiality and Integrity | Pre- and Post-transmission Handling
SC-8(3) - Transmission Confidentiality and Integrity | Cryptographic Protection for Message Externals
SC-8(4) - Transmission Confidentiality and Integrity | Conceal or Randomize Communications
SC-8(5) - Transmission Confidentiality and Integrity | Protected Distribution System
SC-9
SC-10
SC-11
SC-11(1) - Trusted Path | Irrefutable Communications Path
SC-12
SC-12(1) - Cryptographic Key Establishment and Management | Availability
SC-12(2) - Cryptographic Key Establishment and Management | Symmetric Keys
SC-12(3) - Cryptographic Key Establishment and Management | Asymmetric Keys
SC-12(4) - Cryptographic Key Establishment and Management | PKI Certificates
SC-12(5) - Cryptographic Key Establishment and Management | PKI Certificates / Hardware Tokens
SC-12(6) - Cryptographic Key Establishment and Management | Physical Control of Keys
SC-13
SC-13(1) - Cryptographic Protection | Fips-validated Cryptography
SC-13(2) - Cryptographic Protection | Nsa-approved Cryptography
SC-13(3) - Cryptographic Protection | Individuals Without Formal Access Approvals
SC-13(4) - Cryptographic Protection | Digital Signatures
SC-14
SC-15
SC-15(1) - Collaborative Computing Devices and Applications | Physical or Logical Disconnect
SC-15(2) - Collaborative Computing Devices and Applications | Blocking Inbound and Outbound Communications Traffic
SC-15(3) - Collaborative Computing Devices and Applications | Disabling and Removal in Secure Work Areas
SC-15(4) - Collaborative Computing Devices and Applications | Explicitly Indicate Current Participants
SC-16
SC-16(1) - Transmission of Security and Privacy Attributes | Integrity Verification
SC-16(2) - Transmission of Security and Privacy Attributes | Anti-spoofing Mechanisms
SC-16(3) - Transmission of Security and Privacy Attributes | Cryptographic Binding
SC-17
SC-18
SC-18(1) - Mobile Code | Identify Unacceptable Code and Take Corrective Actions
SC-18(2) - Mobile Code | Acquisition, Development, and Use
SC-18(3) - Mobile Code | Prevent Downloading and Execution
SC-18(4) - Mobile Code | Prevent Automatic Execution
SC-18(5) - Mobile Code | Allow Execution Only in Confined Environments
SC-19
SC-20
SC-20(1) - Secure Name/address Resolution Service (authoritative Source) | Child Subspaces
SC-20(2) - Secure Name/address Resolution Service (authoritative Source) | Data Origin and Integrity
SC-21
SC-21(1) - Secure Name/address Resolution Service (recursive or Caching Resolver) | Data Origin and Integrity
SC-22
SC-23
SC-23(1) - Session Authenticity | Invalidate Session Identifiers at Logout
SC-23(2) - Session Authenticity | User-initiated Logouts and Message Displays
SC-23(3) - Session Authenticity | Unique System-generated Session Identifiers
SC-23(4) - Session Authenticity | Unique Session Identifiers with Randomization
SC-23(5) - Session Authenticity | Allowed Certificate Authorities
SC-24
SC-25
SC-26
SC-26(1) - Decoys | Detection of Malicious Code
SC-27
SC-28
SC-28(1) - Protection of Information at Rest | Cryptographic Protection
SC-28(2) - Protection of Information at Rest | Offline Storage
SC-28(3) - Protection of Information at Rest | Cryptographic Keys
SC-29
SC-29(1) - Heterogeneity | Virtualization Techniques
SC-30
SC-30(1) - Concealment and Misdirection | Virtualization Techniques
SC-30(2) - Concealment and Misdirection | Randomness
SC-30(3) - Concealment and Misdirection | Change Processing and Storage Locations
SC-30(4) - Concealment and Misdirection | Misleading Information
SC-30(5) - Concealment and Misdirection | Concealment of System Components
SC-31
SC-31(1) - Covert Channel Analysis | Test Covert Channels for Exploitability
SC-31(2) - Covert Channel Analysis | Maximum Bandwidth
SC-31(3) - Covert Channel Analysis | Measure Bandwidth in Operational Environments
SC-32
SC-32(1) - System Partitioning | Separate Physical Domains for Privileged Functions
SC-33
SC-34
SC-34(1) - Non-modifiable Executable Programs | No Writable Storage
SC-34(2) - Non-modifiable Executable Programs | Integrity Protection on Read-only Media
SC-34(3) - Non-modifiable Executable Programs | Hardware-based Protection
SC-35
SC-36
SC-36(1) - Distributed Processing and Storage | Polling Techniques
SC-36(2) - Distributed Processing and Storage | Synchronization
SC-37
SC-37(1) - Out-of-band Channels | Ensure Delivery and Transmission
SC-38
SC-39
SC-39(1) - Process Isolation | Hardware Separation
SC-39(2) - Process Isolation | Separate Execution Domain Per Thread
SC-40
SC-40(1) - Wireless Link Protection | Electromagnetic Interference
SC-40(2) - Wireless Link Protection | Reduce Detection Potential
SC-40(3) - Wireless Link Protection | Imitative or Manipulative Communications Deception
SC-40(4) - Wireless Link Protection | Signal Parameter Identification
SC-41
SC-42
SC-42(1) - Sensor Capability and Data | Reporting to Authorized Individuals or Roles
SC-42(2) - Sensor Capability and Data | Authorized Use
SC-42(3) - Sensor Capability and Data | Prohibit Use of Devices
SC-42(4) - Sensor Capability and Data | Notice of Collection
SC-42(5) - Sensor Capability and Data | Collection Minimization
SC-43
SC-44
SC-45
SC-45(1) - System Time Synchronization | Synchronization with Authoritative Time Source
SC-45(2) - System Time Synchronization | Secondary Authoritative Time Source
SC-46
SC-47
SC-48
SC-48(1) - Sensor Relocation | Dynamic Relocation of Sensors or Monitoring Capabilities
SC-49
SC-50
SC-51
SI-1
SI-2
SI-2(1) - Flaw Remediation | Central Management
SI-2(2) - Flaw Remediation | Automated Flaw Remediation Status
SI-2(3) - Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective Actions
SI-2(4) - Flaw Remediation | Automated Patch Management Tools
SI-2(5) - Flaw Remediation | Automatic Software and Firmware Updates
SI-2(6) - Flaw Remediation | Removal of Previous Versions of Software and Firmware
SI-3
SI-3(1) - Malicious Code Protection | Central Management
SI-3(2) - Malicious Code Protection | Automatic Updates
SI-3(3) - Malicious Code Protection | Non-privileged Users
SI-3(4) - Malicious Code Protection | Updates Only by Privileged Users
SI-3(5) - Malicious Code Protection | Portable Storage Devices
SI-3(6) - Malicious Code Protection | Testing and Verification
SI-3(7) - Malicious Code Protection | Nonsignature-based Detection
SI-3(8) - Malicious Code Protection | Detect Unauthorized Commands
SI-3(9) - Malicious Code Protection | Authenticate Remote Commands
SI-3(10) - Malicious Code Protection | Malicious Code Analysis
SI-4
SI-4(1) - System Monitoring | System-wide Intrusion Detection System
SI-4(2) - System Monitoring | Automated Tools and Mechanisms for Real-time Analysis
SI-4(3) - System Monitoring | Automated Tool and Mechanism Integration
SI-4(4) - System Monitoring | Inbound and Outbound Communications Traffic
SI-4(5) - System Monitoring | System-generated Alerts
SI-4(6) - System Monitoring | Restrict Non-privileged Users
SI-4(7) - System Monitoring | Automated Response to Suspicious Events
SI-4(8) - System Monitoring | Protection of Monitoring Information
SI-4(9) - System Monitoring | Testing of Monitoring Tools and Mechanisms
SI-4(10) - System Monitoring | Visibility of Encrypted Communications
SI-4(11) - System Monitoring | Analyze Communications Traffic Anomalies
SI-4(12) - System Monitoring | Automated Organization-generated Alerts
SI-4(13) - System Monitoring | Analyze Traffic and Event Patterns
SI-4(14) - System Monitoring | Wireless Intrusion Detection
SI-4(15) - System Monitoring | Wireless to Wireline Communications
SI-4(16) - System Monitoring | Correlate Monitoring Information
SI-4(17) - System Monitoring | Integrated Situational Awareness
SI-4(18) - System Monitoring | Analyze Traffic and Covert Exfiltration
SI-4(19) - System Monitoring | Risk for Individuals
SI-4(20) - System Monitoring | Privileged Users
SI-4(21) - System Monitoring | Probationary Periods
SI-4(22) - System Monitoring | Unauthorized Network Services
SI-4(23) - System Monitoring | Host-based Devices
SI-4(24) - System Monitoring | Indicators of Compromise
SI-4(25) - System Monitoring | Optimize Network Traffic Analysis
SI-5
SI-5(1) - Security Alerts, Advisories, and Directives | Automated Alerts and Advisories
SI-6
SI-6(1) - Security and Privacy Function Verification | Notification of Failed Security Tests
SI-6(2) - Security and Privacy Function Verification | Automation Support for Distributed Testing
SI-6(3) - Security and Privacy Function Verification | Report Verification Results
SI-7
SI-7(1) - Software, Firmware, and Information Integrity | Integrity Checks
SI-7(2) - Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations
SI-7(3) - Software, Firmware, and Information Integrity | Centrally Managed Integrity Tools
SI-7(4) - Software, Firmware, and Information Integrity | Tamper-evident Packaging
SI-7(5) - Software, Firmware, and Information Integrity | Automated Response to Integrity Violations
SI-7(6) - Software, Firmware, and Information Integrity | Cryptographic Protection
SI-7(7) - Software, Firmware, and Information Integrity | Integration of Detection and Response
SI-7(8) - Software, Firmware, and Information Integrity | Auditing Capability for Significant Events
SI-7(9) - Software, Firmware, and Information Integrity | Verify Boot Process
SI-7(10) - Software, Firmware, and Information Integrity | Protection of Boot Firmware
SI-7(11) - Software, Firmware, and Information Integrity | Confined Environments with Limited Privileges
SI-7(12) - Software, Firmware, and Information Integrity | Integrity Verification
SI-7(13) - Software, Firmware, and Information Integrity | Code Execution in Protected Environments
SI-7(14) - Software, Firmware, and Information Integrity | Binary or Machine Executable Code
SI-7(15) - Software, Firmware, and Information Integrity | Code Authentication
SI-7(16) - Software, Firmware, and Information Integrity | Time Limit on Process Execution Without Supervision
SI-7(17) - Software, Firmware, and Information Integrity | Runtime Application Self-protection
SI-8
SI-8(1) - Spam Protection | Central Management
SI-8(2) - Spam Protection | Automatic Updates
SI-8(3) - Spam Protection | Continuous Learning Capability
SI-9
SI-10
SI-10(1) - Information Input Validation | Manual Override Capability
SI-10(2) - Information Input Validation | Review and Resolve Errors
SI-10(3) - Information Input Validation | Predictable Behavior
SI-10(4) - Information Input Validation | Timing Interactions
SI-10(5) - Information Input Validation | Restrict Inputs to Trusted Sources and Approved Formats
SI-10(6) - Information Input Validation | Injection Prevention
SI-11
SI-12
SI-12(1) - Information Management and Retention | Limit Personally Identifiable Information Elements
SI-12(2) - Information Management and Retention | Minimize Personally Identifiable Information in Testing, Training, and Research
SI-12(3) - Information Management and Retention | Information Disposal
SI-13
SI-13(1) - Predictable Failure Prevention | Transferring Component Responsibilities
SI-13(2) - Predictable Failure Prevention | Time Limit on Process Execution Without Supervision
SI-13(3) - Predictable Failure Prevention | Manual Transfer Between Components
SI-13(4) - Predictable Failure Prevention | Standby Component Installation and Notification
SI-13(5) - Predictable Failure Prevention | Failover Capability
SI-14
SI-14(1) - Non-persistence | Refresh from Trusted Sources
SI-14(2) - Non-persistence | Non-persistent Information
SI-14(3) - Non-persistence | Non-persistent Connectivity
SI-15
SI-16
SI-17
SI-18
SI-18(1) - Personally Identifiable Information Quality Operations | Automation Support
SI-18(2) - Personally Identifiable Information Quality Operations | Data Tags
SI-18(3) - Personally Identifiable Information Quality Operations | Collection
SI-18(4) - Personally Identifiable Information Quality Operations | Individual Requests
SI-18(5) - Personally Identifiable Information Quality Operations | Notice of Correction or Deletion
SI-19
SI-19(1) - De-identification | Collection
SI-19(2) - De-identification | Archiving
SI-19(3) - De-identification | Release
SI-19(4) - De-identification | Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers
SI-19(5) - De-identification | Statistical Disclosure Control
SI-19(6) - De-identification | Differential Privacy
SI-19(7) - De-identification | Validated Algorithms and Software
SI-19(8) - De-identification | Motivated Intruder
SI-20
SI-21
SI-22
SI-23
SR-1
SR-2
SR-2(1) - Supply Chain Risk Management Plan | Establish Scrm Team
SR-3
SR-3(1) - Supply Chain Controls and Processes | Diverse Supply Base
SR-3(2) - Supply Chain Controls and Processes | Limitation of Harm
SR-3(3) - Supply Chain Controls and Processes | Sub-tier Flow Down
SR-4
SR-4(1) - Provenance | Identity
SR-4(2) - Provenance | Track and Trace
SR-4(3) - Provenance | Validate as Genuine and Not Altered
SR-4(4) - Provenance | Supply Chain Integrity — Pedigree
SR-5
SR-5(1) - Acquisition Strategies, Tools, and Methods | Adequate Supply
SR-5(2) - Acquisition Strategies, Tools, and Methods | Assessments Prior to Selection, Acceptance, Modification, or Update
SR-6
SR-6(1) - Supplier Assessments and Reviews | Testing and Analysis
SR-7
SR-8
SR-9
SR-9(1) - Tamper Resistance and Detection | Multiple Stages of System Development Life Cycle
SR-10
SR-11
SR-11(1) - Component Authenticity | Anti-counterfeit Training
SR-11(2) - Component Authenticity | Configuration Control for Component Service and Repair
SR-11(3) - Component Authenticity | Anti-counterfeit Scanning
SR-12
select a control on the left