You are on page 1of 385

FAMILY

NAME

TITLE

ACCESS CONTROL

AC-1

ACCESS CONTROL POLICY AND


PROCEDURES

ACCESS CONTROL

AC-1a.

ACCESS CONTROL POLICY AND


PROCEDURES

ACCESS CONTROL

AC-1a.1.

ACCESS CONTROL POLICY AND


PROCEDURES

ACCESS CONTROL

AC-1a.2.

ACCESS CONTROL POLICY AND


PROCEDURES

ACCESS CONTROL

AC-1b.

ACCESS CONTROL POLICY AND


PROCEDURES

ACCESS CONTROL

AC-1b.1.

ACCESS CONTROL POLICY AND


PROCEDURES

ACCESS CONTROL

AC-1b.2.

ACCESS CONTROL POLICY AND


PROCEDURES

ACCESS CONTROL

AC-2

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2a.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2b.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2c.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2d.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2e.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2f.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2g.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2h.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2h.1.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2h.2.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2h.3.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2i.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2i.1.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2i.2.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2i.3.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2j.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2k.

ACCOUNT MANAGEMENT

ACCESS CONTROL

AC-2 (1)

AUTOMATED SYSTEM ACCOUNT


MANAGEMENT

ACCESS CONTROL

AC-2 (2)

REMOVAL OF TEMPORARY / EMERGENCY


ACCOUNTS

ACCESS CONTROL

AC-2 (3)

DISABLE INACTIVE ACCOUNTS

ACCESS CONTROL

AC-2 (4)

AUTOMATED AUDIT ACTIONS

ACCESS CONTROL

AC-2 (5)

INACTIVITY LOGOUT

ACCESS CONTROL

AC-2 (6)

DYNAMIC PRIVILEGE MANAGEMENT

ACCESS CONTROL

AC-2 (7)

ROLE-BASED SCHEMES

ACCESS CONTROL

AC-2 (7)(a)

ROLE-BASED SCHEMES

ACCESS CONTROL

AC-2 (7)(b)

ROLE-BASED SCHEMES

ACCESS CONTROL

AC-2 (7)(c)

ROLE-BASED SCHEMES

ACCESS CONTROL

AC-2 (8)

DYNAMIC ACCOUNT CREATION

ACCESS CONTROL

AC-2 (9)

RESTRICTIONS ON USE OF SHARED / GROUP


ACCOUNTS

ACCESS CONTROL

AC-2 (10)

SHARED / GROUP ACCOUNT CREDENTIAL


TERMINATION

ACCESS CONTROL

AC-2 (11)

USAGE CONDITIONS

ACCESS CONTROL

AC-2 (12)

ACCOUNT MONITORING / ATYPICAL USAGE

ACCESS CONTROL

AC-2 (12)(a)

ACCOUNT MONITORING / ATYPICAL USAGE

ACCESS CONTROL

AC-2 (12)(b)

ACCOUNT MONITORING / ATYPICAL USAGE

ACCESS CONTROL

AC-2 (13)

DISABLE ACCOUNTS FOR HIGH-RISK


INDIVIDUALS

ACCESS CONTROL

AC-3

ACCESS ENFORCEMENT

ACCESS CONTROL

AC-3 (1)

RESTRICTED ACCESS TO PRIVILEGED


FUNCTIONS

ACCESS CONTROL

AC-3 (2)

DUAL AUTHORIZATION

ACCESS CONTROL

AC-3 (3)

MANDATORY ACCESS CONTROL

ACCESS CONTROL

AC-3 (3)(a)

MANDATORY ACCESS CONTROL

ACCESS CONTROL

AC-3 (3)(b)

MANDATORY ACCESS CONTROL

ACCESS CONTROL

AC-3 (3)(b)(1)

MANDATORY ACCESS CONTROL

ACCESS CONTROL

AC-3 (3)(b)(2)

MANDATORY ACCESS CONTROL

ACCESS CONTROL

AC-3 (3)(b)(3)

MANDATORY ACCESS CONTROL

ACCESS CONTROL

AC-3 (3)(b)(4)

MANDATORY ACCESS CONTROL

ACCESS CONTROL

AC-3 (3)(b)(5)

MANDATORY ACCESS CONTROL

ACCESS CONTROL

AC-3 (3)(c)

MANDATORY ACCESS CONTROL

ACCESS CONTROL

AC-3 (4)

DISCRETIONARY ACCESS CONTROL

ACCESS CONTROL

AC-3 (4)(a)

DISCRETIONARY ACCESS CONTROL

ACCESS CONTROL

AC-3 (4)(b)

DISCRETIONARY ACCESS CONTROL

ACCESS CONTROL

AC-3 (4)(c)

DISCRETIONARY ACCESS CONTROL

ACCESS CONTROL

AC-3 (4)(d)

DISCRETIONARY ACCESS CONTROL

ACCESS CONTROL

AC-3 (4)(e)

DISCRETIONARY ACCESS CONTROL

ACCESS CONTROL

AC-3 (5)

SECURITY-RELEVANT INFORMATION

ACCESS CONTROL

AC-3 (6)

PROTECTION OF USER AND SYSTEM


INFORMATION

ACCESS CONTROL

AC-3 (7)

ROLE-BASED ACCESS CONTROL

ACCESS CONTROL

AC-3 (8)

REVOCATION OF ACCESS AUTHORIZATIONS

ACCESS CONTROL

AC-3 (9)

CONTROLLED RELEASE

ACCESS CONTROL

AC-3 (9)(a)

CONTROLLED RELEASE

ACCESS CONTROL

AC-3 (9)(b)

CONTROLLED RELEASE

ACCESS CONTROL

AC-3 (10)

AUDITED OVERRIDE OF ACCESS CONTROL


MECHANISMS

ACCESS CONTROL

AC-4

INFORMATION FLOW ENFORCEMENT

ACCESS CONTROL

AC-4 (1)

OBJECT SECURITY ATTRIBUTES

ACCESS CONTROL

AC-4 (2)

PROCESSING DOMAINS

ACCESS CONTROL

AC-4 (3)

DYNAMIC INFORMATION FLOW CONTROL

ACCESS CONTROL

AC-4 (4)

CONTENT CHECK ENCRYPTED INFORMATION

ACCESS CONTROL

AC-4 (5)

EMBEDDED DATA TYPES

ACCESS CONTROL

AC-4 (6)

METADATA

ACCESS CONTROL

AC-4 (7)

ONE-WAY FLOW MECHANISMS

ACCESS CONTROL

AC-4 (8)

SECURITY POLICY FILTERS

ACCESS CONTROL

AC-4 (9)

HUMAN REVIEWS

ACCESS CONTROL

AC-4 (10)

ENABLE / DISABLE SECURITY POLICY FILTERS

ACCESS CONTROL

AC-4 (11)

CONFIGURATION OF SECURITY POLICY


FILTERS

ACCESS CONTROL

AC-4 (12)

DATA TYPE IDENTIFIERS

ACCESS CONTROL

AC-4 (13)

DECOMPOSITION INTO POLICY-RELEVANT


SUBCOMPONENTS

ACCESS CONTROL

AC-4 (14)

SECURITY POLICY FILTER CONSTRAINTS

ACCESS CONTROL

AC-4 (15)

DETECTION OF UNSANCTIONED
INFORMATION

ACCESS CONTROL

AC-4 (16)

INFORMATION TRANSFERS ON
INTERCONNECTED SYSTEMS

ACCESS CONTROL

AC-4 (17)

DOMAIN AUTHENTICATION

ACCESS CONTROL

AC-4 (18)

SECURITY ATTRIBUTE BINDING

ACCESS CONTROL

AC-4 (19)

VALIDATION OF METADATA

ACCESS CONTROL

AC-4 (20)

APPROVED SOLUTIONS

ACCESS CONTROL

AC-4 (21)

PHYSICAL / LOGICAL SEPARATION OF


INFORMATION FLOWS

ACCESS CONTROL

AC-4 (22)

ACCESS ONLY

ACCESS CONTROL

AC-5

SEPARATION OF DUTIES

ACCESS CONTROL

AC-5a.

SEPARATION OF DUTIES

ACCESS CONTROL

AC-5b.

SEPARATION OF DUTIES

ACCESS CONTROL

AC-5c.

SEPARATION OF DUTIES

ACCESS CONTROL

AC-6

LEAST PRIVILEGE

ACCESS CONTROL

AC-6 (1)

AUTHORIZE ACCESS TO SECURITY


FUNCTIONS

ACCESS CONTROL

AC-6 (2)

NON-PRIVILEGED ACCESS FOR


NONSECURITY FUNCTIONS

ACCESS CONTROL

AC-6 (3)

NETWORK ACCESS TO PRIVILEGED


COMMANDS

ACCESS CONTROL

AC-6 (4)

SEPARATE PROCESSING DOMAINS

ACCESS CONTROL

AC-6 (5)

PRIVILEGED ACCOUNTS

ACCESS CONTROL

AC-6 (6)

PRIVILEGED ACCESS BY NONORGANIZATIONAL USERS

ACCESS CONTROL

AC-6 (7)

REVIEW OF USER PRIVILEGES

ACCESS CONTROL

AC-6 (7)(a)

REVIEW OF USER PRIVILEGES

ACCESS CONTROL

AC-6 (7)(b)

REVIEW OF USER PRIVILEGES

ACCESS CONTROL

AC-6 (8)

PRIVILEGE LEVELS FOR CODE EXECUTION

ACCESS CONTROL

AC-6 (9)

AUDITING USE OF PRIVILEGED FUNCTIONS

ACCESS CONTROL

AC-6 (10)

PROHIBIT NON-PRIVILEGED USERS FROM


EXECUTING PRIVILEGED FUNCTIONS

ACCESS CONTROL

AC-7

UNSUCCESSFUL LOGON ATTEMPTS

ACCESS CONTROL

AC-7a.

UNSUCCESSFUL LOGON ATTEMPTS

ACCESS CONTROL

AC-7b.

UNSUCCESSFUL LOGON ATTEMPTS

ACCESS CONTROL

AC-7 (1)

AUTOMATIC ACCOUNT LOCK

ACCESS CONTROL

AC-7 (2)

PURGE / WIPE MOBILE DEVICE

ACCESS CONTROL

AC-8

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-8a.

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-8a.1.

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-8a.2.

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-8a.3.

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-8a.4.

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-8b.

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-8c.

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-8c.1.

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-8c.2.

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-8c.3.

SYSTEM USE NOTIFICATION

ACCESS CONTROL

AC-9

PREVIOUS LOGON (ACCESS) NOTIFICATION

ACCESS CONTROL

AC-9 (1)

UNSUCCESSFUL LOGONS

ACCESS CONTROL

AC-9 (2)

SUCCESSFUL / UNSUCCESSFUL LOGONS

ACCESS CONTROL

AC-9 (3)

NOTIFICATION OF ACCOUNT CHANGES

ACCESS CONTROL

AC-9 (4)

ADDITIONAL LOGON INFORMATION

ACCESS CONTROL

AC-10

CONCURRENT SESSION CONTROL

ACCESS CONTROL

AC-11

SESSION LOCK

ACCESS CONTROL

AC-11a.

SESSION LOCK

ACCESS CONTROL

AC-11b.

SESSION LOCK

ACCESS CONTROL

AC-11 (1)

PATTERN-HIDING DISPLAYS

ACCESS CONTROL

AC-12

SESSION TERMINATION

ACCESS CONTROL

AC-12 (1)

USER-INITIATED LOGOUTS / MESSAGE


DISPLAYS

ACCESS CONTROL

AC-12 (1)(a)

USER-INITIATED LOGOUTS / MESSAGE


DISPLAYS

ACCESS CONTROL

AC-12 (1)(b)

USER-INITIATED LOGOUTS / MESSAGE


DISPLAYS

ACCESS CONTROL

AC-13

SUPERVISION AND REVIEW - ACCESS


CONTROL

ACCESS CONTROL

AC-14

PERMITTED ACTIONS WITHOUT


IDENTIFICATION OR AUTHENTICATION

ACCESS CONTROL

AC-14a.

PERMITTED ACTIONS WITHOUT


IDENTIFICATION OR AUTHENTICATION

ACCESS CONTROL

AC-14b.

PERMITTED ACTIONS WITHOUT


IDENTIFICATION OR AUTHENTICATION

ACCESS CONTROL

AC-14 (1)

NECESSARY USES

ACCESS CONTROL

AC-15

AUTOMATED MARKING

ACCESS CONTROL

AC-16

SECURITY ATTRIBUTES

ACCESS CONTROL

AC-16a.

SECURITY ATTRIBUTES

ACCESS CONTROL

AC-16b.

SECURITY ATTRIBUTES

ACCESS CONTROL

AC-16c.

SECURITY ATTRIBUTES

ACCESS CONTROL

AC-16d.

SECURITY ATTRIBUTES

ACCESS CONTROL

AC-16 (1)

DYNAMIC ATTRIBUTE ASSOCIATION

ACCESS CONTROL

AC-16 (2)

ATTRIBUTE VALUE CHANGES BY


AUTHORIZED INDIVIDUALS

ACCESS CONTROL

AC-16 (3)

MAINTENANCE OF ATTRIBUTE ASSOCIATIONS


BY INFORMATION SYSTEM

ACCESS CONTROL

AC-16 (4)

ASSOCIATION OF ATTRIBUTES BY
AUTHORIZED INDIVIDUALS

ACCESS CONTROL

AC-16 (5)

ATTRIBUTE DISPLAYS FOR OUTPUT DEVICES

ACCESS CONTROL

AC-16 (6)

MAINTENANCE OF ATTRIBUTE ASSOCIATION


BY ORGANIZATION

ACCESS CONTROL

AC-16 (7)

CONSISTENT ATTRIBUTE INTERPRETATION

ACCESS CONTROL

AC-16 (8)

ASSOCIATION TECHNIQUES / TECHNOLOGIES

ACCESS CONTROL

AC-16 (9)

ATTRIBUTE REASSIGNMENT

ACCESS CONTROL

AC-16 (10)

ATTRIBUTE CONFIGURATION BY
AUTHORIZED INDIVIDUALS

ACCESS CONTROL

AC-17

REMOTE ACCESS

ACCESS CONTROL

AC-17a.

REMOTE ACCESS

ACCESS CONTROL

AC-17b.

REMOTE ACCESS

ACCESS CONTROL

AC-17 (1)

AUTOMATED MONITORING / CONTROL

ACCESS CONTROL

AC-17 (2)

PROTECTION OF CONFIDENTIALITY /
INTEGRITY USING ENCRYPTION

ACCESS CONTROL

AC-17 (3)

MANAGED ACCESS CONTROL POINTS

ACCESS CONTROL

AC-17 (4)

PRIVILEGED COMMANDS / ACCESS

ACCESS CONTROL

AC-17 (4)(a)

PRIVILEGED COMMANDS / ACCESS

ACCESS CONTROL

AC-17 (4)(b)

PRIVILEGED COMMANDS / ACCESS

ACCESS CONTROL

AC-17 (5)

MONITORING FOR UNAUTHORIZED


CONNECTIONS

ACCESS CONTROL

AC-17 (6)

PROTECTION OF INFORMATION

ACCESS CONTROL

AC-17 (7)

ADDITIONAL PROTECTION FOR SECURITY


FUNCTION ACCESS

ACCESS CONTROL

AC-17 (8)

DISABLE NONSECURE NETWORK


PROTOCOLS

ACCESS CONTROL

AC-17 (9)

DISCONNECT / DISABLE ACCESS

ACCESS CONTROL

AC-18

WIRELESS ACCESS

ACCESS CONTROL

AC-18a.

WIRELESS ACCESS

ACCESS CONTROL

AC-18b.

WIRELESS ACCESS

ACCESS CONTROL

AC-18 (1)

AUTHENTICATION AND ENCRYPTION

ACCESS CONTROL

AC-18 (2)

MONITORING UNAUTHORIZED
CONNECTIONS

ACCESS CONTROL

AC-18 (3)

DISABLE WIRELESS NETWORKING

ACCESS CONTROL

AC-18 (4)

RESTRICT CONFIGURATIONS BY USERS

ACCESS CONTROL

AC-18 (5)

ANTENNAS / TRANSMISSION POWER LEVELS

ACCESS CONTROL

AC-19

ACCESS CONTROL FOR MOBILE DEVICES

ACCESS CONTROL

AC-19a.

ACCESS CONTROL FOR MOBILE DEVICES

ACCESS CONTROL

AC-19b.

ACCESS CONTROL FOR MOBILE DEVICES

ACCESS CONTROL

AC-19 (1)

USE OF WRITABLE / PORTABLE STORAGE


DEVICES

ACCESS CONTROL

AC-19 (2)

USE OF PERSONALLY OWNED PORTABLE


STORAGE DEVICES

ACCESS CONTROL

AC-19 (3)

USE OF PORTABLE STORAGE DEVICES WITH


NO IDENTIFIABLE OWNER

ACCESS CONTROL

AC-19 (4)

RESTRICTIONS FOR CLASSIFIED


INFORMATION

ACCESS CONTROL

AC-19 (4)(a)

RESTRICTIONS FOR CLASSIFIED


INFORMATION

ACCESS CONTROL

AC-19 (4)(b)

RESTRICTIONS FOR CLASSIFIED


INFORMATION

ACCESS CONTROL

AC-19 (4)(b)(1)

RESTRICTIONS FOR CLASSIFIED


INFORMATION

ACCESS CONTROL

AC-19 (4)(b)(2)

RESTRICTIONS FOR CLASSIFIED


INFORMATION

ACCESS CONTROL

AC-19 (4)(b)(3)

RESTRICTIONS FOR CLASSIFIED


INFORMATION

ACCESS CONTROL

AC-19 (4)(b)(4)

RESTRICTIONS FOR CLASSIFIED


INFORMATION

ACCESS CONTROL

AC-19 (4)(c)

RESTRICTIONS FOR CLASSIFIED


INFORMATION

ACCESS CONTROL

AC-19 (5)

FULL DEVICE / CONTAINER-BASED


ENCRYPTION

ACCESS CONTROL

AC-20

USE OF EXTERNAL INFORMATION SYSTEMS

ACCESS CONTROL

AC-20a.

USE OF EXTERNAL INFORMATION SYSTEMS

ACCESS CONTROL

AC-20b.

USE OF EXTERNAL INFORMATION SYSTEMS

ACCESS CONTROL

AC-20 (1)

LIMITS ON AUTHORIZED USE

ACCESS CONTROL

AC-20 (1)(a)

LIMITS ON AUTHORIZED USE

ACCESS CONTROL

AC-20 (1)(b)

LIMITS ON AUTHORIZED USE

ACCESS CONTROL

AC-20 (2)

PORTABLE STORAGE DEVICES

ACCESS CONTROL

AC-20 (3)

NON-ORGANIZATIONALLY OWNED SYSTEMS /


COMPONENTS / DEVICES

ACCESS CONTROL

AC-20 (4)

NETWORK ACCESSIBLE STORAGE DEVICES

ACCESS CONTROL

AC-21

INFORMATION SHARING

ACCESS CONTROL

AC-21a.

INFORMATION SHARING

ACCESS CONTROL

AC-21b.

INFORMATION SHARING

ACCESS CONTROL

AC-21 (1)

AUTOMATED DECISION SUPPORT

ACCESS CONTROL

AC-21 (2)

INFORMATION SEARCH AND RETRIEVAL

ACCESS CONTROL

AC-22

PUBLICLY ACCESSIBLE CONTENT

ACCESS CONTROL

AC-22a.

PUBLICLY ACCESSIBLE CONTENT

ACCESS CONTROL

AC-22b.

PUBLICLY ACCESSIBLE CONTENT

ACCESS CONTROL

AC-22c.

PUBLICLY ACCESSIBLE CONTENT

ACCESS CONTROL

AC-22d.

PUBLICLY ACCESSIBLE CONTENT

ACCESS CONTROL

AC-23

DATA MINING PROTECTION

ACCESS CONTROL

AC-24

ACCESS CONTROL DECISIONS

ACCESS CONTROL

AC-24 (1)

TRANSMIT ACCESS AUTHORIZATION


INFORMATION

ACCESS CONTROL

AC-24 (2)

NO USER OR PROCESS IDENTITY

ACCESS CONTROL

AC-25

REFERENCE MONITOR

AWARENESS AND
TRAINING

AT-1

SECURITY AWARENESS AND TRAINING


POLICY AND PROCEDURES

AWARENESS AND
TRAINING

AT-1a.

SECURITY AWARENESS AND TRAINING


POLICY AND PROCEDURES

AWARENESS AND
TRAINING

AT-1a.1.

SECURITY AWARENESS AND TRAINING


POLICY AND PROCEDURES

AWARENESS AND
TRAINING

AT-1a.2.

SECURITY AWARENESS AND TRAINING


POLICY AND PROCEDURES

AWARENESS AND
TRAINING

AT-1b.

SECURITY AWARENESS AND TRAINING


POLICY AND PROCEDURES

AWARENESS AND
TRAINING

AT-1b.1.

SECURITY AWARENESS AND TRAINING


POLICY AND PROCEDURES

AWARENESS AND
TRAINING

AT-1b.2.

SECURITY AWARENESS AND TRAINING


POLICY AND PROCEDURES

AWARENESS AND
TRAINING

AT-2

SECURITY AWARENESS TRAINING

AWARENESS AND
TRAINING

AT-2a.

SECURITY AWARENESS TRAINING

AWARENESS AND
TRAINING

AT-2b.

SECURITY AWARENESS TRAINING

AWARENESS AND
TRAINING

AT-2c.

SECURITY AWARENESS TRAINING

AWARENESS AND
TRAINING

AT-2 (1)

PRACTICAL EXERCISES

AWARENESS AND
TRAINING

AT-2 (2)

INSIDER THREAT

AWARENESS AND
TRAINING

AT-3

ROLE-BASED SECURITY TRAINING

AWARENESS AND
TRAINING

AT-3a.

ROLE-BASED SECURITY TRAINING

AWARENESS AND
TRAINING

AT-3b.

ROLE-BASED SECURITY TRAINING

AWARENESS AND
TRAINING

AT-3c.

ROLE-BASED SECURITY TRAINING

AWARENESS AND
TRAINING

AT-3 (1)

ENVIRONMENTAL CONTROLS

AWARENESS AND
TRAINING

AT-3 (2)

PHYSICAL SECURITY CONTROLS

AWARENESS AND
TRAINING

AT-3 (3)

PRACTICAL EXERCISES

AWARENESS AND
TRAINING

AT-3 (4)

SUSPICIOUS COMMUNICATIONS AND


ANOMALOUS SYSTEM BEHAVIOR

AWARENESS AND
TRAINING

AT-4

SECURITY TRAINING RECORDS

AWARENESS AND
TRAINING

AT-4a.

SECURITY TRAINING RECORDS

AWARENESS AND
TRAINING

AT-4b.

SECURITY TRAINING RECORDS

AWARENESS AND
TRAINING

AT-5

CONTACTS WITH SECURITY GROUPS AND


ASSOCIATIONS

AUDIT AND
ACCOUNTABILITY

AU-1

AUDIT AND ACCOUNTABILITY POLICY AND


PROCEDURES

AUDIT AND
ACCOUNTABILITY

AU-1a.

AUDIT AND ACCOUNTABILITY POLICY AND


PROCEDURES

AUDIT AND
ACCOUNTABILITY

AU-1a.1.

AUDIT AND ACCOUNTABILITY POLICY AND


PROCEDURES

AUDIT AND
ACCOUNTABILITY

AU-1a.2.

AUDIT AND ACCOUNTABILITY POLICY AND


PROCEDURES

AUDIT AND
ACCOUNTABILITY

AU-1b.

AUDIT AND ACCOUNTABILITY POLICY AND


PROCEDURES

AUDIT AND
ACCOUNTABILITY

AU-1b.1.

AUDIT AND ACCOUNTABILITY POLICY AND


PROCEDURES

AUDIT AND
ACCOUNTABILITY

AU-1b.2.

AUDIT AND ACCOUNTABILITY POLICY AND


PROCEDURES

AUDIT AND
ACCOUNTABILITY

AU-2

AUDIT EVENTS

AUDIT AND
ACCOUNTABILITY

AU-2a.

AUDIT EVENTS

AUDIT AND
ACCOUNTABILITY

AU-2b.

AUDIT EVENTS

AUDIT AND
ACCOUNTABILITY

AU-2c.

AUDIT EVENTS

AUDIT AND
ACCOUNTABILITY

AU-2d.

AUDIT EVENTS

AUDIT AND
ACCOUNTABILITY

AU-2 (1)

COMPILATION OF AUDIT RECORDS FROM


MULTIPLE SOURCES

AUDIT AND
ACCOUNTABILITY

AU-2 (2)

SELECTION OF AUDIT EVENTS BY


COMPONENT

AUDIT AND
ACCOUNTABILITY

AU-2 (3)

REVIEWS AND UPDATES

AUDIT AND
ACCOUNTABILITY

AU-2 (4)

PRIVILEGED FUNCTIONS

AUDIT AND
ACCOUNTABILITY

AU-3

CONTENT OF AUDIT RECORDS

AUDIT AND
ACCOUNTABILITY

AU-3 (1)

ADDITIONAL AUDIT INFORMATION

AUDIT AND
ACCOUNTABILITY

AU-3 (2)

CENTRALIZED MANAGEMENT OF PLANNED


AUDIT RECORD CONTENT

AUDIT AND
ACCOUNTABILITY

AU-4

AUDIT STORAGE CAPACITY

AUDIT AND
ACCOUNTABILITY

AU-4 (1)

TRANSFER TO ALTERNATE STORAGE

AUDIT AND
ACCOUNTABILITY

AU-5

RESPONSE TO AUDIT PROCESSING FAILURES

AUDIT AND
ACCOUNTABILITY

AU-5a.

RESPONSE TO AUDIT PROCESSING FAILURES

AUDIT AND
ACCOUNTABILITY

AU-5b.

RESPONSE TO AUDIT PROCESSING FAILURES

AUDIT AND
ACCOUNTABILITY

AU-5 (1)

AUDIT STORAGE CAPACITY

AUDIT AND
ACCOUNTABILITY

AU-5 (2)

REAL-TIME ALERTS

AUDIT AND
ACCOUNTABILITY

AU-5 (3)

CONFIGURABLE TRAFFIC VOLUME


THRESHOLDS

AUDIT AND
ACCOUNTABILITY

AU-5 (4)

SHUTDOWN ON FAILURE

AUDIT AND
ACCOUNTABILITY

AU-6

AUDIT REVIEW, ANALYSIS, AND REPORTING

AUDIT AND
ACCOUNTABILITY

AU-6a.

AUDIT REVIEW, ANALYSIS, AND REPORTING

AUDIT AND
ACCOUNTABILITY

AU-6b.

AUDIT REVIEW, ANALYSIS, AND REPORTING

AUDIT AND
ACCOUNTABILITY

AU-6 (1)

PROCESS INTEGRATION

AUDIT AND
ACCOUNTABILITY

AU-6 (2)

AUTOMATED SECURITY ALERTS

AUDIT AND
ACCOUNTABILITY

AU-6 (3)

CORRELATE AUDIT REPOSITORIES

AUDIT AND
ACCOUNTABILITY

AU-6 (4)

CENTRAL REVIEW AND ANALYSIS

AUDIT AND
ACCOUNTABILITY

AU-6 (5)

INTEGRATION / SCANNING AND MONITORING


CAPABILITIES

AUDIT AND
ACCOUNTABILITY

AU-6 (6)

CORRELATION WITH PHYSICAL MONITORING

AUDIT AND
ACCOUNTABILITY

AU-6 (7)

PERMITTED ACTIONS

AUDIT AND
ACCOUNTABILITY

AU-6 (8)

FULL TEXT ANALYSIS OF PRIVILEGED


COMMANDS

AUDIT AND
ACCOUNTABILITY

AU-6 (9)

CORRELATION WITH INFORMATION FROM


NONTECHNICAL SOURCES

AUDIT AND
ACCOUNTABILITY

AU-6 (10)

AUDIT LEVEL ADJUSTMENT

AUDIT AND
ACCOUNTABILITY

AU-7

AUDIT REDUCTION AND REPORT


GENERATION

AUDIT AND
ACCOUNTABILITY

AU-7a.

AUDIT REDUCTION AND REPORT


GENERATION

AUDIT AND
ACCOUNTABILITY

AU-7b.

AUDIT REDUCTION AND REPORT


GENERATION

AUDIT AND
ACCOUNTABILITY

AU-7 (1)

AUTOMATIC PROCESSING

AUDIT AND
ACCOUNTABILITY

AU-7 (2)

AUTOMATIC SORT AND SEARCH

AUDIT AND
ACCOUNTABILITY

AU-8

TIME STAMPS

AUDIT AND
ACCOUNTABILITY

AU-8a.

TIME STAMPS

AUDIT AND
ACCOUNTABILITY

AU-8b.

TIME STAMPS

AUDIT AND
ACCOUNTABILITY

AU-8 (1)

SYNCHRONIZATION WITH AUTHORITATIVE


TIME SOURCE

AUDIT AND
ACCOUNTABILITY

AU-8 (1)(a)

SYNCHRONIZATION WITH AUTHORITATIVE


TIME SOURCE

AUDIT AND
ACCOUNTABILITY

AU-8 (1)(b)

SYNCHRONIZATION WITH AUTHORITATIVE


TIME SOURCE

AUDIT AND
ACCOUNTABILITY

AU-8 (2)

SECONDARY AUTHORITATIVE TIME SOURCE

AUDIT AND
ACCOUNTABILITY

AU-9

PROTECTION OF AUDIT INFORMATION

AUDIT AND
ACCOUNTABILITY

AU-9 (1)

HARDWARE WRITE-ONCE MEDIA

AUDIT AND
ACCOUNTABILITY

AU-9 (2)

AUDIT BACKUP ON SEPARATE PHYSICAL


SYSTEMS / COMPONENTS

AUDIT AND
ACCOUNTABILITY

AU-9 (3)

CRYPTOGRAPHIC PROTECTION

AUDIT AND
ACCOUNTABILITY

AU-9 (4)

ACCESS BY SUBSET OF PRIVILEGED USERS

AUDIT AND
ACCOUNTABILITY

AU-9 (5)

DUAL AUTHORIZATION

AUDIT AND
ACCOUNTABILITY

AU-9 (6)

READ ONLY ACCESS

AUDIT AND
ACCOUNTABILITY

AU-10

NON-REPUDIATION

AUDIT AND
ACCOUNTABILITY

AU-10 (1)

ASSOCIATION OF IDENTITIES

AUDIT AND
ACCOUNTABILITY

AU-10 (1)(a)

ASSOCIATION OF IDENTITIES

AUDIT AND
ACCOUNTABILITY

AU-10 (1)(b)

ASSOCIATION OF IDENTITIES

AUDIT AND
ACCOUNTABILITY

AU-10 (2)

VALIDATE BINDING OF INFORMATION


PRODUCER IDENTITY

AUDIT AND
ACCOUNTABILITY

AU-10 (2)(a)

VALIDATE BINDING OF INFORMATION


PRODUCER IDENTITY

AUDIT AND
ACCOUNTABILITY

AU-10 (2)(b)

VALIDATE BINDING OF INFORMATION


PRODUCER IDENTITY

AUDIT AND
ACCOUNTABILITY

AU-10 (3)

CHAIN OF CUSTODY

AUDIT AND
ACCOUNTABILITY

AU-10 (4)

VALIDATE BINDING OF INFORMATION


REVIEWER IDENTITY

AUDIT AND
ACCOUNTABILITY

AU-10 (4)(a)

VALIDATE BINDING OF INFORMATION


REVIEWER IDENTITY

AUDIT AND
ACCOUNTABILITY

AU-10 (4)(b)

VALIDATE BINDING OF INFORMATION


REVIEWER IDENTITY

AUDIT AND
ACCOUNTABILITY

AU-10 (5)

DIGITAL SIGNATURES

AUDIT AND
ACCOUNTABILITY

AU-11

AUDIT RECORD RETENTION

AUDIT AND
ACCOUNTABILITY

AU-11 (1)

LONG-TERM RETRIEVAL CAPABILITY

AUDIT AND
ACCOUNTABILITY

AU-12

AUDIT GENERATION

AUDIT AND
ACCOUNTABILITY

AU-12a.

AUDIT GENERATION

AUDIT AND
ACCOUNTABILITY

AU-12b.

AUDIT GENERATION

AUDIT AND
ACCOUNTABILITY

AU-12c.

AUDIT GENERATION

AUDIT AND
ACCOUNTABILITY

AU-12 (1)

SYSTEM-WIDE / TIME-CORRELATED AUDIT


TRAIL

AUDIT AND
ACCOUNTABILITY

AU-12 (2)

STANDARDIZED FORMATS

AUDIT AND
ACCOUNTABILITY

AU-12 (3)

CHANGES BY AUTHORIZED INDIVIDUALS

AUDIT AND
ACCOUNTABILITY

AU-13

MONITORING FOR INFORMATION


DISCLOSURE

AUDIT AND
ACCOUNTABILITY

AU-13 (1)

USE OF AUTOMATED TOOLS

AUDIT AND
ACCOUNTABILITY

AU-13 (2)

REVIEW OF MONITORED SITES

AUDIT AND
ACCOUNTABILITY

AU-14

SESSION AUDIT

AUDIT AND
ACCOUNTABILITY

AU-14 (1)

SYSTEM START-UP

AUDIT AND
ACCOUNTABILITY

AU-14 (2)

CAPTURE/RECORD AND LOG CONTENT

AUDIT AND
ACCOUNTABILITY

AU-14 (3)

REMOTE VIEWING / LISTENING

AUDIT AND
ACCOUNTABILITY

AU-15

ALTERNATE AUDIT CAPABILITY

AUDIT AND
ACCOUNTABILITY

AU-16

CROSS-ORGANIZATIONAL AUDITING

AUDIT AND
ACCOUNTABILITY

AU-16 (1)

IDENTITY PRESERVATION

AUDIT AND
ACCOUNTABILITY

AU-16 (2)

SHARING OF AUDIT INFORMATION

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-1

SECURITY ASSESSMENT AND


AUTHORIZATION POLICY AND PROCEDURES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-1a.

SECURITY ASSESSMENT AND


AUTHORIZATION POLICY AND PROCEDURES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-1a.1.

SECURITY ASSESSMENT AND


AUTHORIZATION POLICY AND PROCEDURES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-1a.2.

SECURITY ASSESSMENT AND


AUTHORIZATION POLICY AND PROCEDURES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-1b.

SECURITY ASSESSMENT AND


AUTHORIZATION POLICY AND PROCEDURES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-1b.1.

SECURITY ASSESSMENT AND


AUTHORIZATION POLICY AND PROCEDURES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-1b.2.

SECURITY ASSESSMENT AND


AUTHORIZATION POLICY AND PROCEDURES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2

SECURITY ASSESSMENTS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2a.

SECURITY ASSESSMENTS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2a.1.

SECURITY ASSESSMENTS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2a.2.

SECURITY ASSESSMENTS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2a.3.

SECURITY ASSESSMENTS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2b.

SECURITY ASSESSMENTS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2c.

SECURITY ASSESSMENTS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2d.

SECURITY ASSESSMENTS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2 (1)

INDEPENDENT ASSESSORS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2 (2)

SPECIALIZED ASSESSMENTS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-2 (3)

EXTERNAL ORGANIZATIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-3

SYSTEM INTERCONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-3a.

SYSTEM INTERCONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-3b.

SYSTEM INTERCONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-3c.

SYSTEM INTERCONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-3 (1)

UNCLASSIFIED NATIONAL SECURITY SYSTEM


CONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-3 (2)

CLASSIFIED NATIONAL SECURITY SYSTEM


CONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-3 (3)

UNCLASSIFIED NON-NATIONAL SECURITY


SYSTEM CONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-3 (4)

CONNECTIONS TO PUBLIC NETWORKS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-3 (5)

RESTRICTIONS ON EXTERNAL SYSTEM


CONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-4

SECURITY CERTIFICATION

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-5

PLAN OF ACTION AND MILESTONES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-5a.

PLAN OF ACTION AND MILESTONES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-5b.

PLAN OF ACTION AND MILESTONES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-5 (1)

AUTOMATION SUPPORT FOR ACCURACY /


CURRENCY

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-6

SECURITY AUTHORIZATION

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-6a.

SECURITY AUTHORIZATION

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-6b.

SECURITY AUTHORIZATION

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-6c.

SECURITY AUTHORIZATION

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7

CONTINUOUS MONITORING

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7a.

CONTINUOUS MONITORING

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7b.

CONTINUOUS MONITORING

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7c.

CONTINUOUS MONITORING

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7d.

CONTINUOUS MONITORING

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7e.

CONTINUOUS MONITORING

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7f.

CONTINUOUS MONITORING

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7g.

CONTINUOUS MONITORING

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7 (1)

INDEPENDENT ASSESSMENT

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7 (2)

TYPES OF ASSESSMENTS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-7 (3)

TREND ANALYSES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-8

PENETRATION TESTING

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-8 (1)

INDEPENDENT PENETRATION AGENT OR


TEAM

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-8 (2)

RED TEAM EXERCISES

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-9

INTERNAL SYSTEM CONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-9a.

INTERNAL SYSTEM CONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-9b.

INTERNAL SYSTEM CONNECTIONS

SECURITY ASSESSMENT
AND AUTHORIZATION

CA-9 (1)

SECURITY COMPLIANCE CHECKS

CONFIGURATION
MANAGEMENT

CM-1

CONFIGURATION MANAGEMENT POLICY AND


PROCEDURES

CONFIGURATION
MANAGEMENT

CM-1a.

CONFIGURATION MANAGEMENT POLICY AND


PROCEDURES

CONFIGURATION
MANAGEMENT

CM-1a.1.

CONFIGURATION MANAGEMENT POLICY AND


PROCEDURES

CONFIGURATION
MANAGEMENT

CM-1a.2.

CONFIGURATION MANAGEMENT POLICY AND


PROCEDURES

CONFIGURATION
MANAGEMENT

CM-1b.

CONFIGURATION MANAGEMENT POLICY AND


PROCEDURES

CONFIGURATION
MANAGEMENT

CM-1b.1.

CONFIGURATION MANAGEMENT POLICY AND


PROCEDURES

CONFIGURATION
MANAGEMENT

CM-1b.2.

CONFIGURATION MANAGEMENT POLICY AND


PROCEDURES

CONFIGURATION
MANAGEMENT

CM-2

BASELINE CONFIGURATION

CONFIGURATION
MANAGEMENT

CM-2 (1)

REVIEWS AND UPDATES

CONFIGURATION
MANAGEMENT

CM-2 (1)(a)

REVIEWS AND UPDATES

CONFIGURATION
MANAGEMENT

CM-2 (1)(b)

REVIEWS AND UPDATES

CONFIGURATION
MANAGEMENT

CM-2 (1)(c)

REVIEWS AND UPDATES

CONFIGURATION
MANAGEMENT

CM-2 (2)

AUTOMATION SUPPORT FOR ACCURACY /


CURRENCY

CONFIGURATION
MANAGEMENT

CM-2 (3)

RETENTION OF PREVIOUS CONFIGURATIONS

CONFIGURATION
MANAGEMENT

CM-2 (4)

UNAUTHORIZED SOFTWARE

CONFIGURATION
MANAGEMENT

CM-2 (5)

AUTHORIZED SOFTWARE

CONFIGURATION
MANAGEMENT

CM-2 (6)

DEVELOPMENT AND TEST ENVIRONMENTS

CONFIGURATION
MANAGEMENT

CM-2 (7)

CONFIGURE SYSTEMS, COMPONENTS, OR


DEVICES FOR HIGH-RISK AREAS

CONFIGURATION
MANAGEMENT

CM-2 (7)(a)

CONFIGURE SYSTEMS, COMPONENTS, OR


DEVICES FOR HIGH-RISK AREAS

CONFIGURATION
MANAGEMENT

CM-2 (7)(b)

CONFIGURE SYSTEMS, COMPONENTS, OR


DEVICES FOR HIGH-RISK AREAS

CONFIGURATION
MANAGEMENT

CM-3

CONFIGURATION CHANGE CONTROL

CONFIGURATION
MANAGEMENT

CM-3a.

CONFIGURATION CHANGE CONTROL

CONFIGURATION
MANAGEMENT

CM-3b.

CONFIGURATION CHANGE CONTROL

CONFIGURATION
MANAGEMENT

CM-3c.

CONFIGURATION CHANGE CONTROL

CONFIGURATION
MANAGEMENT

CM-3d.

CONFIGURATION CHANGE CONTROL

CONFIGURATION
MANAGEMENT

CM-3e.

CONFIGURATION CHANGE CONTROL

CONFIGURATION
MANAGEMENT

CM-3f.

CONFIGURATION CHANGE CONTROL

CONFIGURATION
MANAGEMENT

CM-3g.

CONFIGURATION CHANGE CONTROL

CONFIGURATION
MANAGEMENT

CM-3 (1)

AUTOMATED DOCUMENT / NOTIFICATION /


PROHIBITION OF CHANGES

CONFIGURATION
MANAGEMENT

CM-3 (1)(a)

AUTOMATED DOCUMENT / NOTIFICATION /


PROHIBITION OF CHANGES

CONFIGURATION
MANAGEMENT

CM-3 (1)(b)

AUTOMATED DOCUMENT / NOTIFICATION /


PROHIBITION OF CHANGES

CONFIGURATION
MANAGEMENT

CM-3 (1)(c)

AUTOMATED DOCUMENT / NOTIFICATION /


PROHIBITION OF CHANGES

CONFIGURATION
MANAGEMENT

CM-3 (1)(d)

AUTOMATED DOCUMENT / NOTIFICATION /


PROHIBITION OF CHANGES

CONFIGURATION
MANAGEMENT

CM-3 (1)(e)

AUTOMATED DOCUMENT / NOTIFICATION /


PROHIBITION OF CHANGES

CONFIGURATION
MANAGEMENT

CM-3 (1)(f)

AUTOMATED DOCUMENT / NOTIFICATION /


PROHIBITION OF CHANGES

CONFIGURATION
MANAGEMENT

CM-3 (2)

TEST / VALIDATE / DOCUMENT CHANGES

CONFIGURATION
MANAGEMENT

CM-3 (3)

AUTOMATED CHANGE IMPLEMENTATION

CONFIGURATION
MANAGEMENT

CM-3 (4)

SECURITY REPRESENTATIVE

CONFIGURATION
MANAGEMENT

CM-3 (5)

AUTOMATED SECURITY RESPONSE

CONFIGURATION
MANAGEMENT

CM-3 (6)

CRYPTOGRAPHY MANAGEMENT

CONFIGURATION
MANAGEMENT

CM-4

SECURITY IMPACT ANALYSIS

CONFIGURATION
MANAGEMENT

CM-4 (1)

SEPARATE TEST ENVIRONMENTS

CONFIGURATION
MANAGEMENT

CM-4 (2)

VERIFICATION OF SECURITY FUNCTIONS

CONFIGURATION
MANAGEMENT

CM-5

ACCESS RESTRICTIONS FOR CHANGE

CONFIGURATION
MANAGEMENT

CM-5 (1)

AUTOMATED ACCESS ENFORCEMENT /


AUDITING

CONFIGURATION
MANAGEMENT

CM-5 (2)

REVIEW SYSTEM CHANGES

CONFIGURATION
MANAGEMENT

CM-5 (3)

SIGNED COMPONENTS

CONFIGURATION
MANAGEMENT

CM-5 (4)

DUAL AUTHORIZATION

CONFIGURATION
MANAGEMENT

CM-5 (5)

LIMIT PRODUCTION / OPERATIONAL


PRIVILEGES

CONFIGURATION
MANAGEMENT

CM-5 (5)(a)

CONFIGURATION
MANAGEMENT

CM-5 (5)(b)

CONFIGURATION
MANAGEMENT

CM-5 (6)

LIMIT LIBRARY PRIVILEGES

CONFIGURATION
MANAGEMENT

CM-5 (7)

AUTOMATIC IMPLEMENTATION OF SECURITY


SAFEGUARDS

CONFIGURATION
MANAGEMENT

CM-6

CONFIGURATION SETTINGS

CONFIGURATION
MANAGEMENT

CM-6a.

CONFIGURATION
MANAGEMENT

CM-6b.

CONFIGURATION
MANAGEMENT

CM-6c.

CONFIGURATION
MANAGEMENT

CM-6d.

CONFIGURATION
MANAGEMENT

CM-6 (1)

AUTOMATED CENTRAL MANAGEMENT /


APPLICATION / VERIFICATION

CONFIGURATION
MANAGEMENT

CM-6 (2)

RESPOND TO UNAUTHORIZED CHANGES

CONFIGURATION
MANAGEMENT

CM-6 (3)

UNAUTHORIZED CHANGE DETECTION

CONFIGURATION
MANAGEMENT

CM-6 (4)

CONFORMANCE DEMONSTRATION

CONFIGURATION
MANAGEMENT

CM-7

LEAST FUNCTIONALITY

CONFIGURATION
MANAGEMENT

CM-7a.

LEAST FUNCTIONALITY

CONFIGURATION
MANAGEMENT

CM-7b.

LEAST FUNCTIONALITY

CONFIGURATION
MANAGEMENT

CM-7 (1)

PERIODIC REVIEW

CONFIGURATION
MANAGEMENT

CM-7 (1)(a)

PERIODIC REVIEW

CONFIGURATION
MANAGEMENT

CM-7 (1)(b)

PERIODIC REVIEW

CONFIGURATION
MANAGEMENT

CM-7 (2)

PREVENT PROGRAM EXECUTION

CONFIGURATION
MANAGEMENT

CM-7 (3)

REGISTRATION COMPLIANCE

CONFIGURATION
MANAGEMENT

CM-7 (4)

UNAUTHORIZED SOFTWARE / BLACKLISTING

CONFIGURATION
MANAGEMENT

CM-7 (4)(a)

UNAUTHORIZED SOFTWARE / BLACKLISTING

CONFIGURATION
MANAGEMENT

CM-7 (4)(b)

UNAUTHORIZED SOFTWARE / BLACKLISTING

CONFIGURATION
MANAGEMENT

CM-7 (4)(c)

UNAUTHORIZED SOFTWARE / BLACKLISTING

CONFIGURATION
MANAGEMENT

CM-7 (5)

AUTHORIZED SOFTWARE / WHITELISTING

CONFIGURATION
MANAGEMENT

CM-7 (5)(a)

AUTHORIZED SOFTWARE / WHITELISTING

CONFIGURATION
MANAGEMENT

CM-7 (5)(b)

AUTHORIZED SOFTWARE / WHITELISTING

CONFIGURATION
MANAGEMENT

CM-7 (5)(c)

AUTHORIZED SOFTWARE / WHITELISTING

CONFIGURATION
MANAGEMENT

CM-8

INFORMATION SYSTEM COMPONENT


INVENTORY

CONFIGURATION
MANAGEMENT

CM-8a.

INFORMATION SYSTEM COMPONENT


INVENTORY

CONFIGURATION
MANAGEMENT

CM-8a.1.

INFORMATION SYSTEM COMPONENT


INVENTORY

CONFIGURATION
MANAGEMENT

CM-8a.2.

INFORMATION SYSTEM COMPONENT


INVENTORY

CONFIGURATION
MANAGEMENT

CM-8a.3.

INFORMATION SYSTEM COMPONENT


INVENTORY

CONFIGURATION
MANAGEMENT

CM-8a.4.

INFORMATION SYSTEM COMPONENT


INVENTORY

CONFIGURATION
MANAGEMENT

CM-8b.

INFORMATION SYSTEM COMPONENT


INVENTORY

CONFIGURATION
MANAGEMENT

CM-8 (1)

UPDATES DURING INSTALLATIONS /


REMOVALS

CONFIGURATION
MANAGEMENT

CM-8 (2)

AUTOMATED MAINTENANCE

CONFIGURATION
MANAGEMENT

CM-8 (3)

AUTOMATED UNAUTHORIZED COMPONENT


DETECTION

CONFIGURATION
MANAGEMENT

CM-8 (3)(a)

AUTOMATED UNAUTHORIZED COMPONENT


DETECTION

CONFIGURATION
MANAGEMENT

CM-8 (3)(b)

AUTOMATED UNAUTHORIZED COMPONENT


DETECTION

CONFIGURATION
MANAGEMENT

CM-8 (4)

ACCOUNTABILITY INFORMATION

CONFIGURATION
MANAGEMENT

CM-8 (5)

NO DUPLICATE ACCOUNTING OF
COMPONENTS

CONFIGURATION
MANAGEMENT

CM-8 (6)

ASSESSED CONFIGURATIONS / APPROVED


DEVIATIONS

CONFIGURATION
MANAGEMENT

CM-8 (7)

CENTRALIZED REPOSITORY

CONFIGURATION
MANAGEMENT

CM-8 (8)

AUTOMATED LOCATION TRACKING

CONFIGURATION
MANAGEMENT

CM-8 (9)

ASSIGNMENT OF COMPONENTS TO SYSTEMS

CONFIGURATION
MANAGEMENT

CM-8 (9)(a)

ASSIGNMENT OF COMPONENTS TO SYSTEMS

CONFIGURATION
MANAGEMENT

CM-8 (9)(b)

ASSIGNMENT OF COMPONENTS TO SYSTEMS

CONFIGURATION
MANAGEMENT

CM-9

CONFIGURATION MANAGEMENT PLAN

CONFIGURATION
MANAGEMENT

CM-9a.

CONFIGURATION MANAGEMENT PLAN

CONFIGURATION
MANAGEMENT

CM-9b.

CONFIGURATION MANAGEMENT PLAN

CONFIGURATION
MANAGEMENT

CM-9c.

CONFIGURATION MANAGEMENT PLAN

CONFIGURATION
MANAGEMENT

CM-9d.

CONFIGURATION MANAGEMENT PLAN

CONFIGURATION
MANAGEMENT

CM-9 (1)

ASSIGNMENT OF RESPONSIBILITY

CONFIGURATION
MANAGEMENT

CM-10

SOFTWARE USAGE RESTRICTIONS

CONFIGURATION
MANAGEMENT

CM-10a.

SOFTWARE USAGE RESTRICTIONS

CONFIGURATION
MANAGEMENT

CM-10b.

SOFTWARE USAGE RESTRICTIONS

CONFIGURATION
MANAGEMENT

CM-10c.

SOFTWARE USAGE RESTRICTIONS

CONFIGURATION
MANAGEMENT

CM-10 (1)

OPEN SOURCE SOFTWARE

CONFIGURATION
MANAGEMENT

CM-11

USER-INSTALLED SOFTWARE

CONFIGURATION
MANAGEMENT

CM-11a.

USER-INSTALLED SOFTWARE

CONFIGURATION
MANAGEMENT

CM-11b.

USER-INSTALLED SOFTWARE

CONFIGURATION
MANAGEMENT

CM-11c.

USER-INSTALLED SOFTWARE

CONFIGURATION
MANAGEMENT

CM-11 (1)

ALERTS FOR UNAUTHORIZED


INSTALLATIONS

CONFIGURATION
MANAGEMENT

CM-11 (2)

PROHIBIT INSTALLATION WITHOUT


PRIVILEGED STATUS

CONTINGENCY PLANNING

CP-1

CONTINGENCY PLANNING POLICY AND


PROCEDURES

CONTINGENCY PLANNING

CP-1a.

CONTINGENCY PLANNING POLICY AND


PROCEDURES

CONTINGENCY PLANNING

CP-1a.1.

CONTINGENCY PLANNING POLICY AND


PROCEDURES

CONTINGENCY PLANNING

CP-1a.2.

CONTINGENCY PLANNING POLICY AND


PROCEDURES

CONTINGENCY PLANNING

CP-1b.

CONTINGENCY PLANNING POLICY AND


PROCEDURES

CONTINGENCY PLANNING

CP-1b.1.

CONTINGENCY PLANNING POLICY AND


PROCEDURES

CONTINGENCY PLANNING

CP-1b.2.

CONTINGENCY PLANNING POLICY AND


PROCEDURES

CONTINGENCY PLANNING

CP-2

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2a.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2a.1.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2a.2.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2a.3.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2a.4.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2a.5.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2a.6.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2b.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2c.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2d.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2e.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2f.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2g.

CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-2 (1)

COORDINATE WITH RELATED PLANS

CONTINGENCY PLANNING

CP-2 (2)

CAPACITY PLANNING

CONTINGENCY PLANNING

CP-2 (3)

RESUME ESSENTIAL MISSIONS / BUSINESS


FUNCTIONS

CONTINGENCY PLANNING

CP-2 (4)

RESUME ALL MISSIONS / BUSINESS


FUNCTIONS

CONTINGENCY PLANNING

CP-2 (5)

CONTINUE ESSENTIAL MISSIONS / BUSINESS


FUNCTIONS

CONTINGENCY PLANNING

CP-2 (6)

ALTERNATE PROCESSING / STORAGE SITE

CONTINGENCY PLANNING

CP-2 (7)

COORDINATE WITH EXTERNAL SERVICE


PROVIDERS

CONTINGENCY PLANNING

CP-2 (8)

IDENTIFY CRITICAL ASSETS

CONTINGENCY PLANNING

CP-3

CONTINGENCY TRAINING

CONTINGENCY PLANNING

CP-3a.

CONTINGENCY TRAINING

CONTINGENCY PLANNING

CP-3b.

CONTINGENCY TRAINING

CONTINGENCY PLANNING

CP-3c.

CONTINGENCY TRAINING

CONTINGENCY PLANNING

CP-3 (1)

SIMULATED EVENTS

CONTINGENCY PLANNING

CP-3 (2)

AUTOMATED TRAINING ENVIRONMENTS

CONTINGENCY PLANNING

CP-4

CONTINGENCY PLAN TESTING

CONTINGENCY PLANNING

CP-4a.

CONTINGENCY PLAN TESTING

CONTINGENCY PLANNING

CP-4b.

CONTINGENCY PLAN TESTING

CONTINGENCY PLANNING

CP-4c.

CONTINGENCY PLAN TESTING

CONTINGENCY PLANNING

CP-4 (1)

COORDINATE WITH RELATED PLANS

CONTINGENCY PLANNING

CP-4 (2)

ALTERNATE PROCESSING SITE

CONTINGENCY PLANNING

CP-4 (2)(a)

ALTERNATE PROCESSING SITE

CONTINGENCY PLANNING

CP-4 (2)(b)

ALTERNATE PROCESSING SITE

CONTINGENCY PLANNING

CP-4 (3)

AUTOMATED TESTING

CONTINGENCY PLANNING

CP-4 (4)

FULL RECOVERY / RECONSTITUTION

CONTINGENCY PLANNING

CP-5

CONTINGENCY PLAN UPDATE

CONTINGENCY PLANNING

CP-6

ALTERNATE STORAGE SITE

CONTINGENCY PLANNING

CP-6a.

ALTERNATE STORAGE SITE

CONTINGENCY PLANNING

CP-6b.

ALTERNATE STORAGE SITE

CONTINGENCY PLANNING

CP-6 (1)

SEPARATION FROM PRIMARY SITE

CONTINGENCY PLANNING

CP-6 (2)

RECOVERY TIME / POINT OBJECTIVES

CONTINGENCY PLANNING

CP-6 (3)

ACCESSIBILITY

CONTINGENCY PLANNING

CP-7

ALTERNATE PROCESSING SITE

CONTINGENCY PLANNING

CP-7a.

ALTERNATE PROCESSING SITE

CONTINGENCY PLANNING

CP-7b.

ALTERNATE PROCESSING SITE

CONTINGENCY PLANNING

CP-7c.

ALTERNATE PROCESSING SITE

CONTINGENCY PLANNING

CP-7 (1)

SEPARATION FROM PRIMARY SITE

CONTINGENCY PLANNING

CP-7 (2)

ACCESSIBILITY

CONTINGENCY PLANNING

CP-7 (3)

PRIORITY OF SERVICE

CONTINGENCY PLANNING

CP-7 (4)

PREPARATION FOR USE

CONTINGENCY PLANNING

CP-7 (5)

EQUIVALENT INFORMATION SECURITY


SAFEGUARDS

CONTINGENCY PLANNING

CP-7 (6)

INABILITY TO RETURN TO PRIMARY SITE

CONTINGENCY PLANNING

CP-8

TELECOMMUNICATIONS SERVICES

CONTINGENCY PLANNING

CP-8 (1)

PRIORITY OF SERVICE PROVISIONS

CONTINGENCY PLANNING

CP-8 (1)(a)

PRIORITY OF SERVICE PROVISIONS

CONTINGENCY PLANNING

CP-8 (1)(b)

PRIORITY OF SERVICE PROVISIONS

CONTINGENCY PLANNING

CP-8 (2)

SINGLE POINTS OF FAILURE

CONTINGENCY PLANNING

CP-8 (3)

SEPARATION OF PRIMARY / ALTERNATE


PROVIDERS

CONTINGENCY PLANNING

CP-8 (4)

PROVIDER CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-8 (4)(a)

PROVIDER CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-8 (4)(b)

PROVIDER CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-8 (4)(c)

PROVIDER CONTINGENCY PLAN

CONTINGENCY PLANNING

CP-8 (5)

ALTERNATE TELECOMMUNICATION SERVICE


TESTING

CONTINGENCY PLANNING

CP-9

INFORMATION SYSTEM BACKUP

CONTINGENCY PLANNING

CP-9a.

INFORMATION SYSTEM BACKUP

CONTINGENCY PLANNING

CP-9b.

INFORMATION SYSTEM BACKUP

CONTINGENCY PLANNING

CP-9c.

INFORMATION SYSTEM BACKUP

CONTINGENCY PLANNING

CP-9d.

INFORMATION SYSTEM BACKUP

CONTINGENCY PLANNING

CP-9 (1)

TESTING FOR RELIABILITY / INTEGRITY

CONTINGENCY PLANNING

CP-9 (2)

TEST RESTORATION USING SAMPLING

CONTINGENCY PLANNING

CP-9 (3)

SEPARATE STORAGE FOR CRITICAL


INFORMATION

CONTINGENCY PLANNING

CP-9 (4)

PROTECTION FROM UNAUTHORIZED


MODIFICATION

CONTINGENCY PLANNING

CP-9 (5)

TRANSFER TO ALTERNATE STORAGE SITE

CONTINGENCY PLANNING

CP-9 (6)

REDUNDANT SECONDARY SYSTEM

CONTINGENCY PLANNING

CP-9 (7)

DUAL AUTHORIZATION

CONTINGENCY PLANNING

CP-10

INFORMATION SYSTEM RECOVERY AND


RECONSTITUTION

CONTINGENCY PLANNING

CP-10 (1)

CONTINGENCY PLAN TESTING

CONTINGENCY PLANNING

CP-10 (2)

TRANSACTION RECOVERY

CONTINGENCY PLANNING

CP-10 (3)

COMPENSATING SECURITY CONTROLS

CONTINGENCY PLANNING

CP-10 (4)

RESTORE WITHIN TIME PERIOD

CONTINGENCY PLANNING

CP-10 (5)

FAILOVER CAPABILITY

CONTINGENCY PLANNING

CP-10 (6)

COMPONENT PROTECTION

CONTINGENCY PLANNING

CP-11

ALTERNATE COMMUNICATIONS PROTOCOLS

CONTINGENCY PLANNING

CP-12

SAFE MODE

CONTINGENCY PLANNING

CP-13

ALTERNATIVE SECURITY MECHANISMS

IDENTIFICATION AND
AUTHENTICATION

IA-1

IDENTIFICATION AND AUTHENTICATION


POLICY AND PROCEDURES

IDENTIFICATION AND
AUTHENTICATION

IA-1a.

IDENTIFICATION AND AUTHENTICATION


POLICY AND PROCEDURES

IDENTIFICATION AND
AUTHENTICATION

IA-1a.1.

IDENTIFICATION AND AUTHENTICATION


POLICY AND PROCEDURES

IDENTIFICATION AND
AUTHENTICATION

IA-1a.2.

IDENTIFICATION AND AUTHENTICATION


POLICY AND PROCEDURES

IDENTIFICATION AND
AUTHENTICATION

IA-1b.

IDENTIFICATION AND AUTHENTICATION


POLICY AND PROCEDURES

IDENTIFICATION AND
AUTHENTICATION

IA-1b.1.

IDENTIFICATION AND AUTHENTICATION


POLICY AND PROCEDURES

IDENTIFICATION AND
AUTHENTICATION

IA-1b.2.

IDENTIFICATION AND AUTHENTICATION


POLICY AND PROCEDURES

IDENTIFICATION AND
AUTHENTICATION

IA-2

IDENTIFICATION AND AUTHENTICATION


(ORGANIZATIONAL USERS)

IDENTIFICATION AND
AUTHENTICATION

IA-2 (1)

NETWORK ACCESS TO PRIVILEGED


ACCOUNTS

IDENTIFICATION AND
AUTHENTICATION

IA-2 (2)

NETWORK ACCESS TO NON-PRIVILEGED


ACCOUNTS

IDENTIFICATION AND
AUTHENTICATION

IA-2 (3)

LOCAL ACCESS TO PRIVILEGED ACCOUNTS

IDENTIFICATION AND
AUTHENTICATION

IA-2 (4)

LOCAL ACCESS TO NON-PRIVILEGED


ACCOUNTS

IDENTIFICATION AND
AUTHENTICATION

IA-2 (5)

GROUP AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-2 (6)

NETWORK ACCESS TO PRIVILEGED


ACCOUNTS - SEPARATE DEVICE

IDENTIFICATION AND
AUTHENTICATION

IA-2 (7)

NETWORK ACCESS TO NON-PRIVILEGED


ACCOUNTS - SEPARATE DEVICE

IDENTIFICATION AND
AUTHENTICATION

IA-2 (8)

NETWORK ACCESS TO PRIVILEGED


ACCOUNTS - REPLAY RESISTANT

IDENTIFICATION AND
AUTHENTICATION

IA-2 (9)

NETWORK ACCESS TO NON-PRIVILEGED


ACCOUNTS - REPLAY RESISTANT

IDENTIFICATION AND
AUTHENTICATION

IA-2 (10)

SINGLE SIGN-ON

IDENTIFICATION AND
AUTHENTICATION

IA-2 (11)

REMOTE ACCESS - SEPARATE DEVICE

IDENTIFICATION AND
AUTHENTICATION

IA-2 (12)

ACCEPTANCE OF PIV CREDENTIALS

IDENTIFICATION AND
AUTHENTICATION

IA-2 (13)

OUT-OF-BAND AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-3

DEVICE IDENTIFICATION AND


AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-3 (1)

CRYPTOGRAPHIC BIDIRECTIONAL
AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-3 (2)

CRYPTOGRAPHIC BIDIRECTIONAL NETWORK


AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-3 (3)

DYNAMIC ADDRESS ALLOCATION

IDENTIFICATION AND
AUTHENTICATION

IA-3 (3)(a)

DYNAMIC ADDRESS ALLOCATION

IDENTIFICATION AND
AUTHENTICATION

IA-3 (3)(b)

DYNAMIC ADDRESS ALLOCATION

IDENTIFICATION AND
AUTHENTICATION

IA-3 (4)

DEVICE ATTESTATION

IDENTIFICATION AND
AUTHENTICATION

IA-4

IDENTIFIER MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-4a.

IDENTIFIER MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-4b.

IDENTIFIER MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-4c.

IDENTIFIER MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-4d.

IDENTIFIER MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-4e.

IDENTIFIER MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-4 (1)

PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC


IDENTIFIERS

IDENTIFICATION AND
AUTHENTICATION

IA-4 (2)

SUPERVISOR AUTHORIZATION

IDENTIFICATION AND
AUTHENTICATION

IA-4 (3)

MULTIPLE FORMS OF CERTIFICATION

IDENTIFICATION AND
AUTHENTICATION

IA-4 (4)

IDENTIFY USER STATUS

IDENTIFICATION AND
AUTHENTICATION

IA-4 (5)

DYNAMIC MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-4 (6)

CROSS-ORGANIZATION MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-4 (7)

IN-PERSON REGISTRATION

IDENTIFICATION AND
AUTHENTICATION

IA-5

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5a.

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5b.

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5c.

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5d.

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5e.

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5f.

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5g.

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5h.

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5i.

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5j.

AUTHENTICATOR MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5 (1)

PASSWORD-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (1)(a)

PASSWORD-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (1)(b)

PASSWORD-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (1)(c)

PASSWORD-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (1)(d)

PASSWORD-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (1)(e)

PASSWORD-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (1)(f)

PASSWORD-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (2)

PKI-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (2)(a)

PKI-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (2)(b)

PKI-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (2)(c)

PKI-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (2)(d)

PKI-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (3)

IN-PERSON OR TRUSTED THIRD-PARTY


REGISTRATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (4)

AUTOMATED SUPPORT FOR PASSWORD


STRENGTH DETERMINATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (5)

CHANGE AUTHENTICATORS PRIOR TO


DELIVERY

IDENTIFICATION AND
AUTHENTICATION

IA-5 (6)

PROTECTION OF AUTHENTICATORS

IDENTIFICATION AND
AUTHENTICATION

IA-5 (7)

NO EMBEDDED UNENCRYPTED STATIC


AUTHENTICATORS

IDENTIFICATION AND
AUTHENTICATION

IA-5 (8)

MULTIPLE INFORMATION SYSTEM ACCOUNTS

IDENTIFICATION AND
AUTHENTICATION

IA-5 (9)

CROSS-ORGANIZATION CREDENTIAL
MANAGEMENT

IDENTIFICATION AND
AUTHENTICATION

IA-5 (10)

DYNAMIC CREDENTIAL ASSOCIATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (11)

HARDWARE TOKEN-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (12)

BIOMETRIC-BASED AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-5 (13)

EXPIRATION OF CACHED AUTHENTICATORS

IDENTIFICATION AND
AUTHENTICATION

IA-5 (14)

MANAGING CONTENT OF PKI TRUST STORES

IDENTIFICATION AND
AUTHENTICATION

IA-5 (15)

FICAM-APPROVED PRODUCTS AND SERVICES

IDENTIFICATION AND
AUTHENTICATION

IA-6

AUTHENTICATOR FEEDBACK

IDENTIFICATION AND
AUTHENTICATION

IA-7

CRYPTOGRAPHIC MODULE AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-8

IDENTIFICATION AND AUTHENTICATION


(NON-ORGANIZATIONAL USERS)

IDENTIFICATION AND
AUTHENTICATION

IA-8 (1)

ACCEPTANCE OF PIV CREDENTIALS FROM


OTHER AGENCIES

IDENTIFICATION AND
AUTHENTICATION

IA-8 (2)

ACCEPTANCE OF THIRD-PARTY CREDENTIALS

IDENTIFICATION AND
AUTHENTICATION

IA-8 (3)

USE OF FICAM-APPROVED PRODUCTS

IDENTIFICATION AND
AUTHENTICATION

IA-8 (4)

USE OF FICAM-ISSUED PROFILES

IDENTIFICATION AND
AUTHENTICATION

IA-8 (5)

ACCEPTANCE OF PIV-I CREDENTIALS

IDENTIFICATION AND
AUTHENTICATION

IA-9

SERVICE IDENTIFICATION AND


AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-9 (1)

INFORMATION EXCHANGE

IDENTIFICATION AND
AUTHENTICATION

IA-9 (2)

TRANSMISSION OF DECISIONS

IDENTIFICATION AND
AUTHENTICATION

IA-10

ADAPTIVE IDENTIFICATION AND


AUTHENTICATION

IDENTIFICATION AND
AUTHENTICATION

IA-11

RE-AUTHENTICATION

INCIDENT RESPONSE

IR-1

INCIDENT RESPONSE POLICY AND


PROCEDURES

INCIDENT RESPONSE

IR-1a.

INCIDENT RESPONSE POLICY AND


PROCEDURES

INCIDENT RESPONSE

IR-1a.1.

INCIDENT RESPONSE POLICY AND


PROCEDURES

INCIDENT RESPONSE

IR-1a.2.

INCIDENT RESPONSE POLICY AND


PROCEDURES

INCIDENT RESPONSE

IR-1b.

INCIDENT RESPONSE POLICY AND


PROCEDURES

INCIDENT RESPONSE

IR-1b.1.

INCIDENT RESPONSE POLICY AND


PROCEDURES

INCIDENT RESPONSE

IR-1b.2.

INCIDENT RESPONSE POLICY AND


PROCEDURES

INCIDENT RESPONSE

IR-2

INCIDENT RESPONSE TRAINING

INCIDENT RESPONSE

IR-2a.

INCIDENT RESPONSE TRAINING

INCIDENT RESPONSE

IR-2b.

INCIDENT RESPONSE TRAINING

INCIDENT RESPONSE

IR-2c.

INCIDENT RESPONSE TRAINING

INCIDENT RESPONSE

IR-2 (1)

SIMULATED EVENTS

INCIDENT RESPONSE

IR-2 (2)

AUTOMATED TRAINING ENVIRONMENTS

INCIDENT RESPONSE

IR-3

INCIDENT RESPONSE TESTING

INCIDENT RESPONSE

IR-3 (1)

AUTOMATED TESTING

INCIDENT RESPONSE

IR-3 (2)

COORDINATION WITH RELATED PLANS

INCIDENT RESPONSE

IR-4

INCIDENT HANDLING

INCIDENT RESPONSE

IR-4a.

INCIDENT HANDLING

INCIDENT RESPONSE

IR-4b.

INCIDENT HANDLING

INCIDENT RESPONSE

IR-4c.

INCIDENT HANDLING

INCIDENT RESPONSE

IR-4 (1)

AUTOMATED INCIDENT HANDLING


PROCESSES

INCIDENT RESPONSE

IR-4 (2)

DYNAMIC RECONFIGURATION

INCIDENT RESPONSE

IR-4 (3)

CONTINUITY OF OPERATIONS

INCIDENT RESPONSE

IR-4 (4)

INFORMATION CORRELATION

INCIDENT RESPONSE

IR-4 (5)

AUTOMATIC DISABLING OF INFORMATION


SYSTEM

INCIDENT RESPONSE

IR-4 (6)

INSIDER THREATS - SPECIFIC CAPABILITIES

INCIDENT RESPONSE

IR-4 (7)

INSIDER THREATS - INTRA-ORGANIZATION


COORDINATION

INCIDENT RESPONSE

IR-4 (8)

CORRELATION WITH EXTERNAL


ORGANIZATIONS

INCIDENT RESPONSE

IR-4 (9)

DYNAMIC RESPONSE CAPABILITY

INCIDENT RESPONSE

IR-4 (10)

SUPPLY CHAIN COORDINATION

INCIDENT RESPONSE

IR-5

INCIDENT MONITORING

INCIDENT RESPONSE

IR-5 (1)

AUTOMATED TRACKING / DATA


COLLECTION / ANALYSIS

INCIDENT RESPONSE

IR-6

INCIDENT REPORTING

INCIDENT RESPONSE

IR-6a.

INCIDENT REPORTING

INCIDENT RESPONSE

IR-6b.

INCIDENT REPORTING

INCIDENT RESPONSE

IR-6 (1)

AUTOMATED REPORTING

INCIDENT RESPONSE

IR-6 (2)

VULNERABILITIES RELATED TO INCIDENTS

INCIDENT RESPONSE

IR-6 (3)

COORDINATION WITH SUPPLY CHAIN

INCIDENT RESPONSE

IR-7

INCIDENT RESPONSE ASSISTANCE

INCIDENT RESPONSE

IR-7 (1)

AUTOMATION SUPPORT FOR AVAILABILITY OF


INFORMATION / SUPPORT

INCIDENT RESPONSE

IR-7 (2)

COORDINATION WITH EXTERNAL PROVIDERS

INCIDENT RESPONSE

IR-7 (2)(a)

COORDINATION WITH EXTERNAL PROVIDERS

INCIDENT RESPONSE

IR-7 (2)(b)

COORDINATION WITH EXTERNAL PROVIDERS

INCIDENT RESPONSE

IR-8

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8a.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8a.1.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8a.2.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8a.3.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8a.4.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8a.5.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8a.6.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8a.7.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8a.8.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8b.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8c.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8d.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8e.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-8f.

INCIDENT RESPONSE PLAN

INCIDENT RESPONSE

IR-9

INFORMATION SPILLAGE RESPONSE

INCIDENT RESPONSE

IR-9a.

INFORMATION SPILLAGE RESPONSE

INCIDENT RESPONSE

IR-9b.

INFORMATION SPILLAGE RESPONSE

INCIDENT RESPONSE

IR-9c.

INFORMATION SPILLAGE RESPONSE

INCIDENT RESPONSE

IR-9d.

INFORMATION SPILLAGE RESPONSE

INCIDENT RESPONSE

IR-9e.

INFORMATION SPILLAGE RESPONSE

INCIDENT RESPONSE

IR-9f.

INFORMATION SPILLAGE RESPONSE

INCIDENT RESPONSE

IR-9 (1)

RESPONSIBLE PERSONNEL

INCIDENT RESPONSE

IR-9 (2)

TRAINING

INCIDENT RESPONSE

IR-9 (3)

POST-SPILL OPERATIONS

INCIDENT RESPONSE

IR-9 (4)

EXPOSURE TO UNAUTHORIZED PERSONNEL

INCIDENT RESPONSE

IR-10

INTEGRATED INFORMATION SECURITY


ANALYSIS TEAM

MAINTENANCE

MA-1

SYSTEM MAINTENANCE POLICY AND


PROCEDURES

MAINTENANCE

MA-1a.

SYSTEM MAINTENANCE POLICY AND


PROCEDURES

MAINTENANCE

MA-1a.1.

SYSTEM MAINTENANCE POLICY AND


PROCEDURES

MAINTENANCE

MA-1a.2.

SYSTEM MAINTENANCE POLICY AND


PROCEDURES

MAINTENANCE

MA-1b.

SYSTEM MAINTENANCE POLICY AND


PROCEDURES

MAINTENANCE

MA-1b.1.

SYSTEM MAINTENANCE POLICY AND


PROCEDURES

MAINTENANCE

MA-1b.2.

SYSTEM MAINTENANCE POLICY AND


PROCEDURES

MAINTENANCE

MA-2

CONTROLLED MAINTENANCE

MAINTENANCE

MA-2a.

CONTROLLED MAINTENANCE

MAINTENANCE

MA-2b.

CONTROLLED MAINTENANCE

MAINTENANCE

MA-2c.

CONTROLLED MAINTENANCE

MAINTENANCE

MA-2d.

CONTROLLED MAINTENANCE

MAINTENANCE

MA-2e.

CONTROLLED MAINTENANCE

MAINTENANCE

MA-2f.

CONTROLLED MAINTENANCE

MAINTENANCE

MA-2 (1)

RECORD CONTENT

MAINTENANCE

MA-2 (2)

AUTOMATED MAINTENANCE ACTIVITIES

MAINTENANCE

MA-2 (2)(a)

AUTOMATED MAINTENANCE ACTIVITIES

MAINTENANCE

MA-2 (2)(b)

AUTOMATED MAINTENANCE ACTIVITIES

MAINTENANCE

MA-3

MAINTENANCE TOOLS

MAINTENANCE

MA-3 (1)

INSPECT TOOLS

MAINTENANCE

MA-3 (2)

INSPECT MEDIA

MAINTENANCE

MA-3 (3)

PREVENT UNAUTHORIZED REMOVAL

MAINTENANCE

MA-3 (3)(a)

PREVENT UNAUTHORIZED REMOVAL

MAINTENANCE

MA-3 (3)(b)

PREVENT UNAUTHORIZED REMOVAL

MAINTENANCE

MA-3 (3)(c)

PREVENT UNAUTHORIZED REMOVAL

MAINTENANCE

MA-3 (3)(d)

PREVENT UNAUTHORIZED REMOVAL

MAINTENANCE

MA-3 (4)

RESTRICTED TOOL USE

MAINTENANCE

MA-4

NONLOCAL MAINTENANCE

MAINTENANCE

MA-4a.

NONLOCAL MAINTENANCE

MAINTENANCE

MA-4b.

NONLOCAL MAINTENANCE

MAINTENANCE

MA-4c.

NONLOCAL MAINTENANCE

MAINTENANCE

MA-4d.

NONLOCAL MAINTENANCE

MAINTENANCE

MA-4e.

NONLOCAL MAINTENANCE

MAINTENANCE

MA-4 (1)

AUDITING AND REVIEW

MAINTENANCE

MA-4 (1)(a)

AUDITING AND REVIEW

MAINTENANCE

MA-4 (1)(b)

AUDITING AND REVIEW

MAINTENANCE

MA-4 (2)

DOCUMENT NONLOCAL MAINTENANCE

MAINTENANCE

MA-4 (3)

COMPARABLE SECURITY / SANITIZATION

MAINTENANCE

MA-4 (3)(a)

COMPARABLE SECURITY / SANITIZATION

MAINTENANCE

MA-4 (3)(b)

COMPARABLE SECURITY / SANITIZATION

MAINTENANCE

MA-4 (4)

AUTHENTICATION / SEPARATION OF
MAINTENANCE SESSIONS

MAINTENANCE

MA-4 (4)(a)

AUTHENTICATION / SEPARATION OF
MAINTENANCE SESSIONS

MAINTENANCE

MA-4 (4)(b)

AUTHENTICATION / SEPARATION OF
MAINTENANCE SESSIONS

MAINTENANCE

MA-4 (4)(b)(1)

AUTHENTICATION / SEPARATION OF
MAINTENANCE SESSIONS

MAINTENANCE

MA-4 (4)(b)(2)

AUTHENTICATION / SEPARATION OF
MAINTENANCE SESSIONS

MAINTENANCE

MA-4 (5)

APPROVALS AND NOTIFICATIONS

MAINTENANCE

MA-4 (5)(a)

APPROVALS AND NOTIFICATIONS

MAINTENANCE

MA-4 (5)(b)

APPROVALS AND NOTIFICATIONS

MAINTENANCE

MA-4 (6)

CRYPTOGRAPHIC PROTECTION

MAINTENANCE

MA-4 (7)

REMOTE DISCONNECT VERIFICATION

MAINTENANCE

MA-5

MAINTENANCE PERSONNEL

MAINTENANCE

MA-5a.

MAINTENANCE PERSONNEL

MAINTENANCE

MA-5b.

MAINTENANCE PERSONNEL

MAINTENANCE

MA-5c.

MAINTENANCE PERSONNEL

MAINTENANCE

MA-5 (1)

INDIVIDUALS WITHOUT APPROPRIATE


ACCESS

MAINTENANCE

MA-5 (1)(a)

INDIVIDUALS WITHOUT APPROPRIATE


ACCESS

MAINTENANCE

MA-5 (1)(a)(1)

INDIVIDUALS WITHOUT APPROPRIATE


ACCESS

MAINTENANCE

MA-5 (1)(a)(2)

INDIVIDUALS WITHOUT APPROPRIATE


ACCESS

MAINTENANCE

MA-5 (1)(b)

INDIVIDUALS WITHOUT APPROPRIATE


ACCESS

MAINTENANCE

MA-5 (2)

SECURITY CLEARANCES FOR CLASSIFIED


SYSTEMS

MAINTENANCE

MA-5 (3)

CITIZENSHIP REQUIREMENTS FOR


CLASSIFIED SYSTEMS

MAINTENANCE

MA-5 (4)

FOREIGN NATIONALS

MAINTENANCE

MA-5 (4)(a)

FOREIGN NATIONALS

MAINTENANCE

MA-5 (4)(b)

FOREIGN NATIONALS

MAINTENANCE

MA-5 (5)

NONSYSTEM-RELATED MAINTENANCE

MAINTENANCE

MA-6

TIMELY MAINTENANCE

MAINTENANCE

MA-6 (1)

PREVENTIVE MAINTENANCE

MAINTENANCE

MA-6 (2)

PREDICTIVE MAINTENANCE

MAINTENANCE

MA-6 (3)

AUTOMATED SUPPORT FOR PREDICTIVE


MAINTENANCE

MEDIA PROTECTION

MP-1

MEDIA PROTECTION POLICY AND


PROCEDURES

MEDIA PROTECTION

MP-1a.

MEDIA PROTECTION POLICY AND


PROCEDURES

MEDIA PROTECTION

MP-1a.1.

MEDIA PROTECTION POLICY AND


PROCEDURES

MEDIA PROTECTION

MP-1a.2.

MEDIA PROTECTION POLICY AND


PROCEDURES

MEDIA PROTECTION

MP-1b.

MEDIA PROTECTION POLICY AND


PROCEDURES

MEDIA PROTECTION

MP-1b.1.

MEDIA PROTECTION POLICY AND


PROCEDURES

MEDIA PROTECTION

MP-1b.2.

MEDIA PROTECTION POLICY AND


PROCEDURES

MEDIA PROTECTION

MP-2

MEDIA ACCESS

MEDIA PROTECTION

MP-2 (1)

AUTOMATED RESTRICTED ACCESS

MEDIA PROTECTION

MP-2 (2)

CRYPTOGRAPHIC PROTECTION

MEDIA PROTECTION

MP-3

MEDIA MARKING

MEDIA PROTECTION

MP-3a.

MEDIA MARKING

MEDIA PROTECTION

MP-3b.

MEDIA MARKING

MEDIA PROTECTION

MP-4

MEDIA STORAGE

MEDIA PROTECTION

MP-4a.

MEDIA STORAGE

MEDIA PROTECTION

MP-4b.

MEDIA STORAGE

MEDIA PROTECTION

MP-4 (1)

CRYPTOGRAPHIC PROTECTION

MEDIA PROTECTION

MP-4 (2)

AUTOMATED RESTRICTED ACCESS

MEDIA PROTECTION

MP-5

MEDIA TRANSPORT

MEDIA PROTECTION

MP-5a.

MEDIA TRANSPORT

MEDIA PROTECTION

MP-5b.

MEDIA TRANSPORT

MEDIA PROTECTION

MP-5c.

MEDIA TRANSPORT

MEDIA PROTECTION

MP-5d.

MEDIA TRANSPORT

MEDIA PROTECTION

MP-5 (1)

PROTECTION OUTSIDE OF CONTROLLED


AREAS

MEDIA PROTECTION

MP-5 (2)

DOCUMENTATION OF ACTIVITIES

MEDIA PROTECTION

MP-5 (3)

CUSTODIANS

MEDIA PROTECTION

MP-5 (4)

CRYPTOGRAPHIC PROTECTION

MEDIA PROTECTION

MP-6

MEDIA SANITIZATION

MEDIA PROTECTION

MP-6a.

MEDIA SANITIZATION

MEDIA PROTECTION

MP-6b.

MEDIA SANITIZATION

MEDIA PROTECTION

MP-6 (1)

REVIEW / APPROVE / TRACK / DOCUMENT /


VERIFY

MEDIA PROTECTION

MP-6 (2)

EQUIPMENT TESTING

MEDIA PROTECTION

MP-6 (3)

NONDESTRUCTIVE TECHNIQUES

MEDIA PROTECTION

MP-6 (4)

CONTROLLED UNCLASSIFIED INFORMATION

MEDIA PROTECTION

MP-6 (5)

CLASSIFIED INFORMATION

MEDIA PROTECTION

MP-6 (6)

MEDIA DESTRUCTION

MEDIA PROTECTION

MP-6 (7)

DUAL AUTHORIZATION

MEDIA PROTECTION

MP-6 (8)

REMOTE PURGING / WIPING OF


INFORMATION

MEDIA PROTECTION

MP-7

MEDIA USE

MEDIA PROTECTION

MP-7 (1)

PROHIBIT USE WITHOUT OWNER

MEDIA PROTECTION

MP-7 (2)

PROHIBIT USE OF SANITIZATION-RESISTANT


MEDIA

MEDIA PROTECTION

MP-8

MEDIA DOWNGRADING

MEDIA PROTECTION

MP-8a.

MEDIA DOWNGRADING

MEDIA PROTECTION

MP-8b.

MEDIA DOWNGRADING

MEDIA PROTECTION

MP-8c.

MEDIA DOWNGRADING

MEDIA PROTECTION

MP-8d.

MEDIA DOWNGRADING

MEDIA PROTECTION

MP-8 (1)

DOCUMENTATION OF PROCESS

MEDIA PROTECTION

MP-8 (2)

EQUIPMENT TESTING

MEDIA PROTECTION

MP-8 (3)

CONTROLLED UNCLASSIFIED INFORMATION

MEDIA PROTECTION

MP-8 (4)

CLASSIFIED INFORMATION

PHYSICAL AND
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-1

PHYSICAL AND ENVIRONMENTAL


PROTECTION POLICY AND PROCEDURES

PE-1a.

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PHYSICAL AND ENVIRONMENTAL


PROTECTION POLICY AND PROCEDURES

PE-1a.1.

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PHYSICAL AND ENVIRONMENTAL


PROTECTION POLICY AND PROCEDURES

PE-1a.2.

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PHYSICAL AND ENVIRONMENTAL


PROTECTION POLICY AND PROCEDURES

PE-1b.

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PHYSICAL AND ENVIRONMENTAL


PROTECTION POLICY AND PROCEDURES

PE-1b.1.

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PHYSICAL AND ENVIRONMENTAL


PROTECTION POLICY AND PROCEDURES

PE-1b.2.

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PHYSICAL AND ENVIRONMENTAL


PROTECTION POLICY AND PROCEDURES

PE-2

PHYSICAL ACCESS AUTHORIZATIONS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-2a.

PHYSICAL ACCESS AUTHORIZATIONS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-2b.

PHYSICAL ACCESS AUTHORIZATIONS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-2c.

PHYSICAL ACCESS AUTHORIZATIONS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-2d.

PHYSICAL ACCESS AUTHORIZATIONS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-2 (1)

ACCESS BY POSITION / ROLE

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-2 (2)

TWO FORMS OF IDENTIFICATION

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-2 (3)

RESTRICT UNESCORTED ACCESS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3

PHYSICAL ACCESS CONTROL

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3a.

PHYSICAL ACCESS CONTROL

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3a.1.

PHYSICAL ACCESS CONTROL

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3a.2.

PHYSICAL ACCESS CONTROL

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3b.

PHYSICAL ACCESS CONTROL

ENVIRONMENTAL
PROTECTION

PHYSICAL AND
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3c.

PHYSICAL ACCESS CONTROL

PE-3d.

PHYSICAL ACCESS CONTROL

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3e.

PHYSICAL ACCESS CONTROL

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3f.

PHYSICAL ACCESS CONTROL

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3g.

PHYSICAL ACCESS CONTROL

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3 (1)

INFORMATION SYSTEM ACCESS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3 (2)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

FACILITY / INFORMATION SYSTEM


BOUNDARIES

PE-3 (3)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

CONTINUOUS GUARDS / ALARMS /


MONITORING

PE-3 (4)

LOCKABLE CASINGS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3 (5)

TAMPER PROTECTION

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-3 (6)

FACILITY PENETRATION TESTING

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-4

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

ACCESS CONTROL FOR TRANSMISSION


MEDIUM

PE-5

ACCESS CONTROL FOR OUTPUT DEVICES

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-5 (1)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

ACCESS TO OUTPUT BY AUTHORIZED


INDIVIDUALS

PE-5 (1)(a)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

ACCESS TO OUTPUT BY AUTHORIZED


INDIVIDUALS

PE-5 (1)(b)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

ACCESS TO OUTPUT BY AUTHORIZED


INDIVIDUALS

PE-5 (2)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

ACCESS TO OUTPUT BY INDIVIDUAL


IDENTITY

PE-5 (2)(a)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

ACCESS TO OUTPUT BY INDIVIDUAL


IDENTITY

PE-5 (2)(b)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

ACCESS TO OUTPUT BY INDIVIDUAL


IDENTITY

PE-5 (3)

MARKING OUTPUT DEVICES

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-6

MONITORING PHYSICAL ACCESS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-6a.

MONITORING PHYSICAL ACCESS

ENVIRONMENTAL
PROTECTION

PHYSICAL AND
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-6b.

MONITORING PHYSICAL ACCESS

PE-6c.

MONITORING PHYSICAL ACCESS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-6 (1)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

INTRUSION ALARMS / SURVEILLANCE


EQUIPMENT

PE-6 (2)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

AUTOMATED INTRUSION RECOGNITION /


RESPONSES

PE-6 (3)

VIDEO SURVEILLANCE

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-6 (4)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

MONITORING PHYSICAL ACCESS TO


INFORMATION SYSTEMS

PE-7

VISITOR CONTROL

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-8

VISITOR ACCESS RECORDS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-8a.

VISITOR ACCESS RECORDS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-8b.

VISITOR ACCESS RECORDS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-8 (1)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

AUTOMATED RECORDS MAINTENANCE /


REVIEW

PE-8 (2)

PHYSICAL ACCESS RECORDS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-9

POWER EQUIPMENT AND CABLING

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-9 (1)

REDUNDANT CABLING

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-9 (2)

AUTOMATIC VOLTAGE CONTROLS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-10

EMERGENCY SHUTOFF

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-10a.

EMERGENCY SHUTOFF

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-10b.

EMERGENCY SHUTOFF

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-10c.

EMERGENCY SHUTOFF

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-10 (1)

ACCIDENTAL / UNAUTHORIZED ACTIVATION

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-11

EMERGENCY POWER

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-11 (1)

LONG-TERM ALTERNATE POWER SUPPLY MINIMAL OPERATIONAL CAPABILITY

ENVIRONMENTAL
PROTECTION

PHYSICAL AND
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-11 (2)

LONG-TERM ALTERNATE POWER SUPPLY SELF-CONTAINED

PE-11 (2)(a)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

LONG-TERM ALTERNATE POWER SUPPLY SELF-CONTAINED

PE-11 (2)(b)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

LONG-TERM ALTERNATE POWER SUPPLY SELF-CONTAINED

PE-11 (2)(c)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

LONG-TERM ALTERNATE POWER SUPPLY SELF-CONTAINED

PE-12

EMERGENCY LIGHTING

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-12 (1)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

ESSENTIAL MISSIONS / BUSINESS


FUNCTIONS

PE-13

FIRE PROTECTION

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-13 (1)

DETECTION DEVICES / SYSTEMS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-13 (2)

SUPPRESSION DEVICES / SYSTEMS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-13 (3)

AUTOMATIC FIRE SUPPRESSION

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-13 (4)

INSPECTIONS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-14

TEMPERATURE AND HUMIDITY CONTROLS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-14a.

TEMPERATURE AND HUMIDITY CONTROLS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-14b.

TEMPERATURE AND HUMIDITY CONTROLS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-14 (1)

AUTOMATIC CONTROLS

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-14 (2)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

MONITORING WITH ALARMS /


NOTIFICATIONS

PE-15

WATER DAMAGE PROTECTION

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-15 (1)

AUTOMATION SUPPORT

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-16

DELIVERY AND REMOVAL

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-17

ALTERNATE WORK SITE

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-17a.

ALTERNATE WORK SITE

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-17b.

ALTERNATE WORK SITE

ENVIRONMENTAL
PROTECTION

PHYSICAL AND
ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-17c.

ALTERNATE WORK SITE

PE-18

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

LOCATION OF INFORMATION SYSTEM


COMPONENTS

PE-18 (1)

FACILITY SITE

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-19

INFORMATION LEAKAGE

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-19 (1)

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

NATIONAL EMISSIONS / TEMPEST POLICIES


AND PROCEDURES

PE-20

ASSET MONITORING AND TRACKING

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-20a.

ASSET MONITORING AND TRACKING

ENVIRONMENTAL
PROTECTION
PHYSICAL AND

PE-20b.

ASSET MONITORING AND TRACKING

ENVIRONMENTAL
PROTECTION
PLANNING

PL-1

SECURITY PLANNING POLICY AND


PROCEDURES

PLANNING

PL-1a.

SECURITY PLANNING POLICY AND


PROCEDURES

PLANNING

PL-1a.1.

SECURITY PLANNING POLICY AND


PROCEDURES

PLANNING

PL-1a.2.

SECURITY PLANNING POLICY AND


PROCEDURES

PLANNING

PL-1b.

SECURITY PLANNING POLICY AND


PROCEDURES

PLANNING

PL-1b.1.

SECURITY PLANNING POLICY AND


PROCEDURES

PLANNING

PL-1b.2.

SECURITY PLANNING POLICY AND


PROCEDURES

PLANNING

PL-2

SYSTEM SECURITY PLAN

PLANNING

PL-2a.

SYSTEM SECURITY PLAN

PLANNING

PL-2a.1.

SYSTEM SECURITY PLAN

PLANNING

PL-2a.2.

SYSTEM SECURITY PLAN

PLANNING

PL-2a.3.

SYSTEM SECURITY PLAN

PLANNING

PL-2a.4.

SYSTEM SECURITY PLAN

PLANNING

PL-2a.5.

SYSTEM SECURITY PLAN

PLANNING

PL-2a.6.

SYSTEM SECURITY PLAN

PLANNING

PL-2a.7.

SYSTEM SECURITY PLAN

PLANNING

PL-2a.8.

SYSTEM SECURITY PLAN

PLANNING

PL-2a.9.

SYSTEM SECURITY PLAN

PLANNING

PL-2b.

SYSTEM SECURITY PLAN

PLANNING

PL-2c.

SYSTEM SECURITY PLAN

PLANNING

PL-2d.

SYSTEM SECURITY PLAN

PLANNING

PL-2e.

SYSTEM SECURITY PLAN

PLANNING

PL-2 (1)

CONCEPT OF OPERATIONS

PLANNING

PL-2 (2)

FUNCTIONAL ARCHITECTURE

PLANNING

PL-2 (3)

PLAN / COORDINATE WITH OTHER


ORGANIZATIONAL ENTITIES

PLANNING

PL-3

SYSTEM SECURITY PLAN UPDATE

PLANNING

PL-4

RULES OF BEHAVIOR

PLANNING

PL-4a.

RULES OF BEHAVIOR

PLANNING

PL-4b.

RULES OF BEHAVIOR

PLANNING

PL-4c.

RULES OF BEHAVIOR

PLANNING

PL-4d.

RULES OF BEHAVIOR

PLANNING

PL-4 (1)

SOCIAL MEDIA AND NETWORKING


RESTRICTIONS

PLANNING

PL-5

PRIVACY IMPACT ASSESSMENT

PLANNING

PL-6

SECURITY-RELATED ACTIVITY PLANNING

PLANNING

PL-7

SECURITY CONCEPT OF OPERATIONS

PLANNING

PL-7a.

SECURITY CONCEPT OF OPERATIONS

PLANNING

PL-7b.

SECURITY CONCEPT OF OPERATIONS

PLANNING

PL-8

INFORMATION SECURITY ARCHITECTURE

PLANNING

PL-8a.

INFORMATION SECURITY ARCHITECTURE

PLANNING

PL-8a.1.

INFORMATION SECURITY ARCHITECTURE

PLANNING

PL-8a.2.

INFORMATION SECURITY ARCHITECTURE

PLANNING

PL-8a.3.

INFORMATION SECURITY ARCHITECTURE

PLANNING

PL-8b.

INFORMATION SECURITY ARCHITECTURE

PLANNING

PL-8c.

INFORMATION SECURITY ARCHITECTURE

PLANNING

PL-8 (1)

DEFENSE-IN-DEPTH

PLANNING

PL-8 (1)(a)

DEFENSE-IN-DEPTH

PLANNING

PL-8 (1)(b)

DEFENSE-IN-DEPTH

PLANNING

PL-8 (2)

SUPPLIER DIVERSITY

PLANNING

PL-9

CENTRAL MANAGEMENT

PERSONNEL SECURITY

PS-1

PERSONNEL SECURITY POLICY AND


PROCEDURES

PERSONNEL SECURITY

PS-1a.

PERSONNEL SECURITY POLICY AND


PROCEDURES

PERSONNEL SECURITY

PS-1a.1.

PERSONNEL SECURITY POLICY AND


PROCEDURES

PERSONNEL SECURITY

PS-1a.2.

PERSONNEL SECURITY POLICY AND


PROCEDURES

PERSONNEL SECURITY

PS-1b.

PERSONNEL SECURITY POLICY AND


PROCEDURES

PERSONNEL SECURITY

PS-1b.1.

PERSONNEL SECURITY POLICY AND


PROCEDURES

PERSONNEL SECURITY

PS-1b.2.

PERSONNEL SECURITY POLICY AND


PROCEDURES

PERSONNEL SECURITY

PS-2

POSITION RISK DESIGNATION

PERSONNEL SECURITY

PS-2a.

POSITION RISK DESIGNATION

PERSONNEL SECURITY

PS-2b.

POSITION RISK DESIGNATION

PERSONNEL SECURITY

PS-2c.

POSITION RISK DESIGNATION

PERSONNEL SECURITY

PS-3

PERSONNEL SCREENING

PERSONNEL SECURITY

PS-3a.

PERSONNEL SCREENING

PERSONNEL SECURITY

PS-3b.

PERSONNEL SCREENING

PERSONNEL SECURITY

PS-3 (1)

CLASSIFIED INFORMATION

PERSONNEL SECURITY

PS-3 (2)

FORMAL INDOCTRINATION

PERSONNEL SECURITY

PS-3 (3)

INFORMATION WITH SPECIAL PROTECTION


MEASURES

PERSONNEL SECURITY

PS-3 (3)(a)

INFORMATION WITH SPECIAL PROTECTION


MEASURES

PERSONNEL SECURITY

PS-3 (3)(b)

INFORMATION WITH SPECIAL PROTECTION


MEASURES

PERSONNEL SECURITY

PS-4

PERSONNEL TERMINATION

PERSONNEL SECURITY

PS-4a.

PERSONNEL TERMINATION

PERSONNEL SECURITY

PS-4b.

PERSONNEL TERMINATION

PERSONNEL SECURITY

PS-4c.

PERSONNEL TERMINATION

PERSONNEL SECURITY

PS-4d.

PERSONNEL TERMINATION

PERSONNEL SECURITY

PS-4e.

PERSONNEL TERMINATION

PERSONNEL SECURITY

PS-4f.

PERSONNEL TERMINATION

PERSONNEL SECURITY

PS-4 (1)

POST-EMPLOYMENT REQUIREMENTS

PERSONNEL SECURITY

PS-4 (1)(a)

POST-EMPLOYMENT REQUIREMENTS

PERSONNEL SECURITY

PS-4 (1)(b)

POST-EMPLOYMENT REQUIREMENTS

PERSONNEL SECURITY

PS-4 (2)

AUTOMATED NOTIFICATION

PERSONNEL SECURITY

PS-5

PERSONNEL TRANSFER

PERSONNEL SECURITY

PS-5a.

PERSONNEL TRANSFER

PERSONNEL SECURITY

PS-5b.

PERSONNEL TRANSFER

PERSONNEL SECURITY

PS-5c.

PERSONNEL TRANSFER

PERSONNEL SECURITY

PS-5d.

PERSONNEL TRANSFER

PERSONNEL SECURITY

PS-6

ACCESS AGREEMENTS

PERSONNEL SECURITY

PS-6a.

ACCESS AGREEMENTS

PERSONNEL SECURITY

PS-6b.

ACCESS AGREEMENTS

PERSONNEL SECURITY

PS-6c.

ACCESS AGREEMENTS

PERSONNEL SECURITY

PS-6c.1.

ACCESS AGREEMENTS

PERSONNEL SECURITY

PS-6c.2.

ACCESS AGREEMENTS

PERSONNEL SECURITY

PS-6 (1)

INFORMATION REQUIRING SPECIAL


PROTECTION

PERSONNEL SECURITY

PS-6 (2)

CLASSIFIED INFORMATION REQUIRING


SPECIAL PROTECTION

PERSONNEL SECURITY

PS-6 (2)(a)

CLASSIFIED INFORMATION REQUIRING


SPECIAL PROTECTION

PERSONNEL SECURITY

PS-6 (2)(b)

CLASSIFIED INFORMATION REQUIRING


SPECIAL PROTECTION

PERSONNEL SECURITY

PS-6 (2)(c)

CLASSIFIED INFORMATION REQUIRING


SPECIAL PROTECTION

PERSONNEL SECURITY

PS-6 (3)

POST-EMPLOYMENT REQUIREMENTS

PERSONNEL SECURITY

PS-6 (3)(a)

POST-EMPLOYMENT REQUIREMENTS

PERSONNEL SECURITY

PS-6 (3)(b)

POST-EMPLOYMENT REQUIREMENTS

PERSONNEL SECURITY

PS-7

THIRD-PARTY PERSONNEL SECURITY

PERSONNEL SECURITY

PS-7a.

THIRD-PARTY PERSONNEL SECURITY

PERSONNEL SECURITY

PS-7b.

THIRD-PARTY PERSONNEL SECURITY

PERSONNEL SECURITY

PS-7c.

THIRD-PARTY PERSONNEL SECURITY

PERSONNEL SECURITY

PS-7d.

THIRD-PARTY PERSONNEL SECURITY

PERSONNEL SECURITY

PS-7e.

THIRD-PARTY PERSONNEL SECURITY

PERSONNEL SECURITY

PS-8

PERSONNEL SANCTIONS

PERSONNEL SECURITY

PS-8a.

PERSONNEL SANCTIONS

PERSONNEL SECURITY

PS-8b.

PERSONNEL SANCTIONS

RISK ASSESSMENT

RA-1

RISK ASSESSMENT POLICY AND


PROCEDURES

RISK ASSESSMENT

RA-1a.

RISK ASSESSMENT POLICY AND


PROCEDURES

RISK ASSESSMENT

RA-1a.1.

RISK ASSESSMENT POLICY AND


PROCEDURES

RISK ASSESSMENT

RA-1a.2.

RISK ASSESSMENT POLICY AND


PROCEDURES

RISK ASSESSMENT

RA-1b.

RISK ASSESSMENT POLICY AND


PROCEDURES

RISK ASSESSMENT

RA-1b.1.

RISK ASSESSMENT POLICY AND


PROCEDURES

RISK ASSESSMENT

RA-1b.2.

RISK ASSESSMENT POLICY AND


PROCEDURES

RISK ASSESSMENT

RA-2

SECURITY CATEGORIZATION

RISK ASSESSMENT

RA-2a.

SECURITY CATEGORIZATION

RISK ASSESSMENT

RA-2b.

SECURITY CATEGORIZATION

RISK ASSESSMENT

RA-2c.

SECURITY CATEGORIZATION

RISK ASSESSMENT

RA-3

RISK ASSESSMENT

RISK ASSESSMENT

RA-3a.

RISK ASSESSMENT

RISK ASSESSMENT

RA-3b.

RISK ASSESSMENT

RISK ASSESSMENT

RA-3c.

RISK ASSESSMENT

RISK ASSESSMENT

RA-3d.

RISK ASSESSMENT

RISK ASSESSMENT

RA-3e.

RISK ASSESSMENT

RISK ASSESSMENT

RA-4

RISK ASSESSMENT UPDATE

RISK ASSESSMENT

RA-5

VULNERABILITY SCANNING

RISK ASSESSMENT

RA-5a.

VULNERABILITY SCANNING

RISK ASSESSMENT

RA-5b.

VULNERABILITY SCANNING

RISK ASSESSMENT

RA-5b.1.

VULNERABILITY SCANNING

RISK ASSESSMENT

RA-5b.2.

VULNERABILITY SCANNING

RISK ASSESSMENT

RA-5b.3.

VULNERABILITY SCANNING

RISK ASSESSMENT

RA-5c.

VULNERABILITY SCANNING

RISK ASSESSMENT

RA-5d.

VULNERABILITY SCANNING

RISK ASSESSMENT

RA-5e.

VULNERABILITY SCANNING

RISK ASSESSMENT

RA-5 (1)

UPDATE TOOL CAPABILITY

RISK ASSESSMENT

RA-5 (2)

UPDATE BY FREQUENCY / PRIOR TO NEW


SCAN / WHEN IDENTIFIED

RISK ASSESSMENT

RA-5 (3)

BREADTH / DEPTH OF COVERAGE

RISK ASSESSMENT

RA-5 (4)

DISCOVERABLE INFORMATION

RISK ASSESSMENT

RA-5 (5)

PRIVILEGED ACCESS

RISK ASSESSMENT

RA-5 (6)

AUTOMATED TREND ANALYSES

RISK ASSESSMENT

RA-5 (7)

AUTOMATED DETECTION AND NOTIFICATION


OF UNAUTHORIZED COMPONENTS

RISK ASSESSMENT

RA-5 (8)

REVIEW HISTORIC AUDIT LOGS

RISK ASSESSMENT

RA-5 (9)

PENETRATION TESTING AND ANALYSES

RISK ASSESSMENT

RA-5 (10)

CORRELATE SCANNING INFORMATION

RISK ASSESSMENT

RA-6

TECHNICAL SURVEILLANCE
COUNTERMEASURES SURVEY

SYSTEM AND SERVICES


ACQUISITION

SA-1

SYSTEM AND SERVICES ACQUISITION POLICY


AND PROCEDURES

SYSTEM AND SERVICES


ACQUISITION

SA-1a.

SYSTEM AND SERVICES ACQUISITION POLICY


AND PROCEDURES

SYSTEM AND SERVICES


ACQUISITION

SA-1a.1.

SYSTEM AND SERVICES ACQUISITION POLICY


AND PROCEDURES

SYSTEM AND SERVICES


ACQUISITION

SA-1a.2.

SYSTEM AND SERVICES ACQUISITION POLICY


AND PROCEDURES

SYSTEM AND SERVICES


ACQUISITION

SA-1b.

SYSTEM AND SERVICES ACQUISITION POLICY


AND PROCEDURES

SYSTEM AND SERVICES


ACQUISITION

SA-1b.1.

SYSTEM AND SERVICES ACQUISITION POLICY


AND PROCEDURES

SYSTEM AND SERVICES


ACQUISITION

SA-1b.2.

SYSTEM AND SERVICES ACQUISITION POLICY


AND PROCEDURES

SYSTEM AND SERVICES


ACQUISITION

SA-2

ALLOCATION OF RESOURCES

SYSTEM AND SERVICES


ACQUISITION

SA-2a.

ALLOCATION OF RESOURCES

SYSTEM AND SERVICES


ACQUISITION

SA-2b.

ALLOCATION OF RESOURCES

SYSTEM AND SERVICES


ACQUISITION

SA-2c.

ALLOCATION OF RESOURCES

SYSTEM AND SERVICES


ACQUISITION

SA-3

SYSTEM DEVELOPMENT LIFE CYCLE

SYSTEM AND SERVICES


ACQUISITION

SA-3a.

SYSTEM DEVELOPMENT LIFE CYCLE

SYSTEM AND SERVICES


ACQUISITION

SA-3b.

SYSTEM DEVELOPMENT LIFE CYCLE

SYSTEM AND SERVICES


ACQUISITION

SA-3c.

SYSTEM DEVELOPMENT LIFE CYCLE

SYSTEM AND SERVICES


ACQUISITION

SA-3d.

SYSTEM DEVELOPMENT LIFE CYCLE

SYSTEM AND SERVICES


ACQUISITION

SA-4

ACQUISITION PROCESS

SYSTEM AND SERVICES


ACQUISITION

SA-4a.

ACQUISITION PROCESS

SYSTEM AND SERVICES


ACQUISITION

SA-4b.

ACQUISITION PROCESS

SYSTEM AND SERVICES


ACQUISITION

SA-4c.

ACQUISITION PROCESS

SYSTEM AND SERVICES


ACQUISITION

SA-4d.

ACQUISITION PROCESS

SYSTEM AND SERVICES


ACQUISITION

SA-4e.

ACQUISITION PROCESS

SYSTEM AND SERVICES


ACQUISITION

SA-4f.

ACQUISITION PROCESS

SYSTEM AND SERVICES


ACQUISITION

SA-4g.

ACQUISITION PROCESS

SYSTEM AND SERVICES


ACQUISITION

SA-4 (1)

FUNCTIONAL PROPERTIES OF SECURITY


CONTROLS

SYSTEM AND SERVICES


ACQUISITION

SA-4 (2)

DESIGN / IMPLEMENTATION INFORMATION


FOR SECURITY CONTROLS

SYSTEM AND SERVICES


ACQUISITION

SA-4 (3)

DEVELOPMENT METHODS / TECHNIQUES /


PRACTICES

SYSTEM AND SERVICES


ACQUISITION

SA-4 (4)

ASSIGNMENT OF COMPONENTS TO SYSTEMS

SYSTEM AND SERVICES


ACQUISITION

SA-4 (5)

SYSTEM / COMPONENT / SERVICE


CONFIGURATIONS

SYSTEM AND SERVICES


ACQUISITION

SA-4 (5)(a)

SYSTEM / COMPONENT / SERVICE


CONFIGURATIONS

SYSTEM AND SERVICES


ACQUISITION

SA-4 (5)(b)

SYSTEM / COMPONENT / SERVICE


CONFIGURATIONS

SYSTEM AND SERVICES


ACQUISITION

SA-4 (6)

USE OF INFORMATION ASSURANCE


PRODUCTS

SYSTEM AND SERVICES


ACQUISITION

SA-4 (6)(a)

USE OF INFORMATION ASSURANCE


PRODUCTS

SYSTEM AND SERVICES


ACQUISITION

SA-4 (6)(b)

USE OF INFORMATION ASSURANCE


PRODUCTS

SYSTEM AND SERVICES


ACQUISITION

SA-4 (7)

NIAP-APPROVED PROTECTION PROFILES

SYSTEM AND SERVICES


ACQUISITION

SA-4 (7)(a)

NIAP-APPROVED PROTECTION PROFILES

SYSTEM AND SERVICES


ACQUISITION

SA-4 (7)(b)

NIAP-APPROVED PROTECTION PROFILES

SYSTEM AND SERVICES


ACQUISITION

SA-4 (8)

CONTINUOUS MONITORING PLAN

SYSTEM AND SERVICES


ACQUISITION

SA-4 (9)

FUNCTIONS / PORTS / PROTOCOLS /


SERVICES IN USE

SYSTEM AND SERVICES


ACQUISITION

SA-4 (10)

USE OF APPROVED PIV PRODUCTS

SYSTEM AND SERVICES


ACQUISITION

SA-5

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5a.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5a.1.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5a.2.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5a.3.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5b.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5b.1.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5b.2.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5b.3.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5c.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5d.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5e.

INFORMATION SYSTEM DOCUMENTATION

SYSTEM AND SERVICES


ACQUISITION

SA-5 (1)

FUNCTIONAL PROPERTIES OF SECURITY


CONTROLS

SYSTEM AND SERVICES


ACQUISITION

SA-5 (2)

SECURITY-RELEVANT EXTERNAL SYSTEM


INTERFACES

SYSTEM AND SERVICES


ACQUISITION

SA-5 (3)

HIGH-LEVEL DESIGN

SYSTEM AND SERVICES


ACQUISITION

SA-5 (4)

LOW-LEVEL DESIGN

SYSTEM AND SERVICES


ACQUISITION

SA-5 (5)

SOURCE CODE

SYSTEM AND SERVICES


ACQUISITION

SA-6

SOFTWARE USAGE RESTRICTIONS

SYSTEM AND SERVICES


ACQUISITION

SA-7

USER-INSTALLED SOFTWARE

SYSTEM AND SERVICES


ACQUISITION

SA-8

SECURITY ENGINEERING PRINCIPLES

SYSTEM AND SERVICES


ACQUISITION

SA-9

EXTERNAL INFORMATION SYSTEM SERVICES

SYSTEM AND SERVICES


ACQUISITION

SA-9a.

EXTERNAL INFORMATION SYSTEM SERVICES

SYSTEM AND SERVICES


ACQUISITION

SA-9b.

EXTERNAL INFORMATION SYSTEM SERVICES

SYSTEM AND SERVICES


ACQUISITION

SA-9c.

EXTERNAL INFORMATION SYSTEM SERVICES

SYSTEM AND SERVICES


ACQUISITION

SA-9 (1)

RISK ASSESSMENTS / ORGANIZATIONAL


APPROVALS

SYSTEM AND SERVICES


ACQUISITION

SA-9 (1)(a)

RISK ASSESSMENTS / ORGANIZATIONAL


APPROVALS

SYSTEM AND SERVICES


ACQUISITION

SA-9 (1)(b)

RISK ASSESSMENTS / ORGANIZATIONAL


APPROVALS

SYSTEM AND SERVICES


ACQUISITION

SA-9 (2)

IDENTIFICATION OF FUNCTIONS / PORTS /


PROTOCOLS / SERVICES

SYSTEM AND SERVICES


ACQUISITION

SA-9 (3)

ESTABLISH / MAINTAIN TRUST RELATIONSHIP


WITH PROVIDERS

SYSTEM AND SERVICES


ACQUISITION

SA-9 (4)

CONSISTENT INTERESTS OF CONSUMERS


AND PROVIDERS

SYSTEM AND SERVICES


ACQUISITION

SA-9 (5)

PROCESSING, STORAGE, AND SERVICE


LOCATION

SYSTEM AND SERVICES


ACQUISITION

SA-10

DEVELOPER CONFIGURATION MANAGEMENT

SYSTEM AND SERVICES


ACQUISITION

SA-10a.

DEVELOPER CONFIGURATION MANAGEMENT

SYSTEM AND SERVICES


ACQUISITION

SA-10b.

DEVELOPER CONFIGURATION MANAGEMENT

SYSTEM AND SERVICES


ACQUISITION

SA-10c.

DEVELOPER CONFIGURATION MANAGEMENT

SYSTEM AND SERVICES


ACQUISITION

SA-10d.

DEVELOPER CONFIGURATION MANAGEMENT

SYSTEM AND SERVICES


ACQUISITION

SA-10e.

DEVELOPER CONFIGURATION MANAGEMENT

SYSTEM AND SERVICES


ACQUISITION

SA-10 (1)

SOFTWARE / FIRMWARE INTEGRITY


VERIFICATION

SYSTEM AND SERVICES


ACQUISITION

SA-10 (2)

ALTERNATIVE CONFIGURATION
MANAGEMENT PROCESSES

SYSTEM AND SERVICES


ACQUISITION

SA-10 (3)

HARDWARE INTEGRITY VERIFICATION

SYSTEM AND SERVICES


ACQUISITION

SA-10 (4)

TRUSTED GENERATION

SYSTEM AND SERVICES


ACQUISITION

SA-10 (5)

MAPPING INTEGRITY FOR VERSION CONTROL

SYSTEM AND SERVICES


ACQUISITION

SA-10 (6)

TRUSTED DISTRIBUTION

SYSTEM AND SERVICES


ACQUISITION

SA-11

DEVELOPER SECURITY TESTING AND


EVALUATION

SYSTEM AND SERVICES


ACQUISITION

SA-11a.

DEVELOPER SECURITY TESTING AND


EVALUATION

SYSTEM AND SERVICES


ACQUISITION

SA-11b.

DEVELOPER SECURITY TESTING AND


EVALUATION

SYSTEM AND SERVICES


ACQUISITION

SA-11c.

DEVELOPER SECURITY TESTING AND


EVALUATION

SYSTEM AND SERVICES


ACQUISITION

SA-11d.

DEVELOPER SECURITY TESTING AND


EVALUATION

SYSTEM AND SERVICES


ACQUISITION

SA-11e.

DEVELOPER SECURITY TESTING AND


EVALUATION

SYSTEM AND SERVICES


ACQUISITION

SA-11 (1)

STATIC CODE ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-11 (2)

THREAT AND VULNERABILITY ANALYSES

SYSTEM AND SERVICES


ACQUISITION

SA-11 (3)

INDEPENDENT VERIFICATION OF
ASSESSMENT PLANS / EVIDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-11 (3)(a)

INDEPENDENT VERIFICATION OF
ASSESSMENT PLANS / EVIDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-11 (3)(b)

INDEPENDENT VERIFICATION OF
ASSESSMENT PLANS / EVIDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-11 (4)

MANUAL CODE REVIEWS

SYSTEM AND SERVICES


ACQUISITION

SA-11 (5)

PENETRATION TESTING

SYSTEM AND SERVICES


ACQUISITION

SA-11 (6)

ATTACK SURFACE REVIEWS

SYSTEM AND SERVICES


ACQUISITION

SA-11 (7)

VERIFY SCOPE OF TESTING / EVALUATION

SYSTEM AND SERVICES


ACQUISITION

SA-11 (8)

DYNAMIC CODE ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-12

SUPPLY CHAIN PROTECTION

SYSTEM AND SERVICES


ACQUISITION

SA-12 (1)

ACQUISITION STRATEGIES / TOOLS /


METHODS

SYSTEM AND SERVICES


ACQUISITION

SA-12 (2)

SUPPLIER REVIEWS

SYSTEM AND SERVICES


ACQUISITION

SA-12 (3)

TRUSTED SHIPPING AND WAREHOUSING

SYSTEM AND SERVICES


ACQUISITION

SA-12 (4)

DIVERSITY OF SUPPLIERS

SYSTEM AND SERVICES


ACQUISITION

SA-12 (5)

LIMITATION OF HARM

SYSTEM AND SERVICES


ACQUISITION

SA-12 (6)

MINIMIZING PROCUREMENT TIME

SYSTEM AND SERVICES


ACQUISITION

SA-12 (7)

ASSESSMENTS PRIOR TO SELECTION /


ACCEPTANCE / UPDATE

SYSTEM AND SERVICES


ACQUISITION

SA-12 (8)

USE OF ALL-SOURCE INTELLIGENCE

SYSTEM AND SERVICES


ACQUISITION

SA-12 (9)

OPERATIONS SECURITY

SYSTEM AND SERVICES


ACQUISITION

SA-12 (10)

VALIDATE AS GENUINE AND NOT ALTERED

SYSTEM AND SERVICES


ACQUISITION

SA-12 (11)

PENETRATION TESTING / ANALYSIS OF


ELEMENTS, PROCESSES, AND ACTORS

SYSTEM AND SERVICES


ACQUISITION

SA-12 (12)

INTER-ORGANIZATIONAL AGREEMENTS

SYSTEM AND SERVICES


ACQUISITION

SA-12 (13)

CRITICAL INFORMATION SYSTEM


COMPONENTS

SYSTEM AND SERVICES


ACQUISITION

SA-12 (14)

IDENTITY AND TRACEABILITY

SYSTEM AND SERVICES


ACQUISITION

SA-12 (15)

PROCESSES TO ADDRESS WEAKNESSES OR


DEFICIENCIES

SYSTEM AND SERVICES


ACQUISITION

SA-13

TRUSTWORTHINESS

SYSTEM AND SERVICES


ACQUISITION

SA-13a.

TRUSTWORTHINESS

SYSTEM AND SERVICES


ACQUISITION

SA-13b.

TRUSTWORTHINESS

SYSTEM AND SERVICES


ACQUISITION

SA-14

CRITICALITY ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-14 (1)

CRITICAL COMPONENTS WITH NO VIABLE


ALTERNATIVE SOURCING

SYSTEM AND SERVICES


ACQUISITION

SA-15

DEVELOPMENT PROCESS, STANDARDS, AND


TOOLS

SYSTEM AND SERVICES


ACQUISITION

SA-15a.

DEVELOPMENT PROCESS, STANDARDS, AND


TOOLS

SYSTEM AND SERVICES


ACQUISITION

SA-15a.1.

DEVELOPMENT PROCESS, STANDARDS, AND


TOOLS

SYSTEM AND SERVICES


ACQUISITION

SA-15a.2.

DEVELOPMENT PROCESS, STANDARDS, AND


TOOLS

SYSTEM AND SERVICES


ACQUISITION

SA-15a.3.

DEVELOPMENT PROCESS, STANDARDS, AND


TOOLS

SYSTEM AND SERVICES


ACQUISITION

SA-15a.4.

DEVELOPMENT PROCESS, STANDARDS, AND


TOOLS

SYSTEM AND SERVICES


ACQUISITION

SA-15b.

DEVELOPMENT PROCESS, STANDARDS, AND


TOOLS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (1)

QUALITY METRICS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (1)(a)

QUALITY METRICS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (1)(b)

QUALITY METRICS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (2)

SECURITY TRACKING TOOLS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (3)

CRITICALITY ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (4)

THREAT MODELING / VULNERABILITY


ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (4)(a)

THREAT MODELING / VULNERABILITY


ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (4)(b)

THREAT MODELING / VULNERABILITY


ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (4)(c)

THREAT MODELING / VULNERABILITY


ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (5)

ATTACK SURFACE REDUCTION

SYSTEM AND SERVICES


ACQUISITION

SA-15 (6)

CONTINUOUS IMPROVEMENT

SYSTEM AND SERVICES


ACQUISITION

SA-15 (7)

AUTOMATED VULNERABILITY ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (7)(a)

AUTOMATED VULNERABILITY ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (7)(b)

AUTOMATED VULNERABILITY ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (7)(c)

AUTOMATED VULNERABILITY ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (7)(d)

AUTOMATED VULNERABILITY ANALYSIS

SYSTEM AND SERVICES


ACQUISITION

SA-15 (8)

REUSE OF THREAT / VULNERABILITY


INFORMATION

SYSTEM AND SERVICES


ACQUISITION

SA-15 (9)

USE OF LIVE DATA

SYSTEM AND SERVICES


ACQUISITION

SA-15 (10)

INCIDENT RESPONSE PLAN

SYSTEM AND SERVICES


ACQUISITION

SA-15 (11)

ARCHIVE INFORMATION SYSTEM /


COMPONENT

SYSTEM AND SERVICES


ACQUISITION

SA-16

DEVELOPER-PROVIDED TRAINING

SYSTEM AND SERVICES


ACQUISITION

SA-17

DEVELOPER SECURITY ARCHITECTURE AND


DESIGN

SYSTEM AND SERVICES


ACQUISITION

SA-17a.

DEVELOPER SECURITY ARCHITECTURE AND


DESIGN

SYSTEM AND SERVICES


ACQUISITION

SA-17b.

DEVELOPER SECURITY ARCHITECTURE AND


DESIGN

SYSTEM AND SERVICES


ACQUISITION

SA-17c.

DEVELOPER SECURITY ARCHITECTURE AND


DESIGN

SYSTEM AND SERVICES


ACQUISITION

SA-17 (1)

FORMAL POLICY MODEL

SYSTEM AND SERVICES


ACQUISITION

SA-17 (1)(a)

FORMAL POLICY MODEL

SYSTEM AND SERVICES


ACQUISITION

SA-17 (1)(b)

FORMAL POLICY MODEL

SYSTEM AND SERVICES


ACQUISITION

SA-17 (2)

SECURITY-RELEVANT COMPONENTS

SYSTEM AND SERVICES


ACQUISITION

SA-17 (2)(a)

SECURITY-RELEVANT COMPONENTS

SYSTEM AND SERVICES


ACQUISITION

SA-17 (2)(b)

SECURITY-RELEVANT COMPONENTS

SYSTEM AND SERVICES


ACQUISITION

SA-17 (3)

FORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (3)(a)

FORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (3)(b)

FORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (3)(c)

FORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (3)(d)

FORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (3)(e)

FORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (4)

INFORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (4)(a)

INFORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (4)(b)

INFORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (4)(c)

INFORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (4)(d)

INFORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (4)(e)

INFORMAL CORRESPONDENCE

SYSTEM AND SERVICES


ACQUISITION

SA-17 (5)

CONCEPTUALLY SIMPLE DESIGN

SYSTEM AND SERVICES


ACQUISITION

SA-17 (5)(a)

CONCEPTUALLY SIMPLE DESIGN

SYSTEM AND SERVICES


ACQUISITION

SA-17 (5)(b)

CONCEPTUALLY SIMPLE DESIGN

SYSTEM AND SERVICES


ACQUISITION

SA-17 (6)

STRUCTURE FOR TESTING

SYSTEM AND SERVICES


ACQUISITION

SA-17 (7)

STRUCTURE FOR LEAST PRIVILEGE

SYSTEM AND SERVICES


ACQUISITION

SA-18

TAMPER RESISTANCE AND DETECTION

SYSTEM AND SERVICES


ACQUISITION

SA-18 (1)

MULTIPLE PHASES OF SDLC

SYSTEM AND SERVICES


ACQUISITION

SA-18 (2)

INSPECTION OF INFORMATION SYSTEMS,


COMPONENTS, OR DEVICES

SYSTEM AND SERVICES


ACQUISITION

SA-19

COMPONENT AUTHENTICITY

SYSTEM AND SERVICES


ACQUISITION

SA-19a.

COMPONENT AUTHENTICITY

SYSTEM AND SERVICES


ACQUISITION

SA-19b.

COMPONENT AUTHENTICITY

SYSTEM AND SERVICES


ACQUISITION

SA-19 (1)

ANTI-COUNTERFEIT TRAINING

SYSTEM AND SERVICES


ACQUISITION

SA-19 (2)

CONFIGURATION CONTROL FOR


COMPONENT SERVICE / REPAIR

SYSTEM AND SERVICES


ACQUISITION

SA-19 (3)

COMPONENT DISPOSAL

SYSTEM AND SERVICES


ACQUISITION

SA-19 (4)

ANTI-COUNTERFEIT SCANNING

SYSTEM AND SERVICES


ACQUISITION

SA-20

CUSTOMIZED DEVELOPMENT OF CRITICAL


COMPONENTS

SYSTEM AND SERVICES


ACQUISITION

SA-21

DEVELOPER SCREENING

SYSTEM AND SERVICES


ACQUISITION

SA-21a.

DEVELOPER SCREENING

SYSTEM AND SERVICES


ACQUISITION

SA-21b.

DEVELOPER SCREENING

SYSTEM AND SERVICES


ACQUISITION

SA-21 (1)

VALIDATION OF SCREENING

SYSTEM AND SERVICES


ACQUISITION

SA-22

UNSUPPORTED SYSTEM COMPONENTS

SYSTEM AND SERVICES


ACQUISITION

SA-22a.

UNSUPPORTED SYSTEM COMPONENTS

SYSTEM AND SERVICES


ACQUISITION

SA-22b.

UNSUPPORTED SYSTEM COMPONENTS

SYSTEM AND SERVICES


ACQUISITION

SA-22 (1)

ALTERNATIVE SOURCES FOR CONTINUED


SUPPORT

SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-1

SYSTEM AND COMMUNICATIONS


PROTECTION POLICY AND PROCEDURES

SC-1a.

COMMUNICATIONS
PROTECTION
SYSTEM AND

SYSTEM AND COMMUNICATIONS


PROTECTION POLICY AND PROCEDURES

SC-1a.1.

COMMUNICATIONS
PROTECTION
SYSTEM AND

SYSTEM AND COMMUNICATIONS


PROTECTION POLICY AND PROCEDURES

SC-1a.2.

COMMUNICATIONS
PROTECTION
SYSTEM AND

SYSTEM AND COMMUNICATIONS


PROTECTION POLICY AND PROCEDURES

SC-1b.

SYSTEM AND COMMUNICATIONS


PROTECTION POLICY AND PROCEDURES

COMMUNICATIONS
PROTECTION

SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-1b.1.

SYSTEM AND COMMUNICATIONS


PROTECTION POLICY AND PROCEDURES

SC-1b.2.

COMMUNICATIONS
PROTECTION
SYSTEM AND

SYSTEM AND COMMUNICATIONS


PROTECTION POLICY AND PROCEDURES

SC-2

APPLICATION PARTITIONING

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-2 (1)

INTERFACES FOR NON-PRIVILEGED USERS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-3

SECURITY FUNCTION ISOLATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-3 (1)

HARDWARE SEPARATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-3 (2)

ACCESS / FLOW CONTROL FUNCTIONS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-3 (3)

MINIMIZE NONSECURITY FUNCTIONALITY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-3 (4)

MODULE COUPLING AND COHESIVENESS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-3 (5)

LAYERED STRUCTURES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-4

INFORMATION IN SHARED RESOURCES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-4 (1)

SECURITY LEVELS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-4 (2)

PERIODS PROCESSING

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-5

DENIAL OF SERVICE PROTECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-5 (1)

RESTRICT INTERNAL USERS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-5 (2)

COMMUNICATIONS
PROTECTION
SYSTEM AND

EXCESS CAPACITY / BANDWIDTH /


REDUNDANCY

SC-5 (3)

DETECTION / MONITORING

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-5 (3)(a)

DETECTION / MONITORING

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-5 (3)(b)

DETECTION / MONITORING

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-6

RESOURCE AVAILABILITY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7

BOUNDARY PROTECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7a.

BOUNDARY PROTECTION

COMMUNICATIONS
PROTECTION

SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7b.

BOUNDARY PROTECTION

SC-7c.

BOUNDARY PROTECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (1)

PHYSICALLY SEPARATED SUBNETWORKS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (2)

PUBLIC ACCESS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (3)

ACCESS POINTS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (4)

EXTERNAL TELECOMMUNICATIONS SERVICES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (4)(a)

EXTERNAL TELECOMMUNICATIONS SERVICES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (4)(b)

EXTERNAL TELECOMMUNICATIONS SERVICES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (4)(c)

EXTERNAL TELECOMMUNICATIONS SERVICES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (4)(d)

EXTERNAL TELECOMMUNICATIONS SERVICES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (4)(e)

EXTERNAL TELECOMMUNICATIONS SERVICES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (5)

DENY BY DEFAULT / ALLOW BY EXCEPTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (6)

RESPONSE TO RECOGNIZED FAILURES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (7)

COMMUNICATIONS
PROTECTION
SYSTEM AND

PREVENT SPLIT TUNNELING FOR REMOTE


DEVICES

SC-7 (8)

COMMUNICATIONS
PROTECTION
SYSTEM AND

ROUTE TRAFFIC TO AUTHENTICATED PROXY


SERVERS

SC-7 (9)

COMMUNICATIONS
PROTECTION
SYSTEM AND

RESTRICT THREATENING OUTGOING


COMMUNICATIONS TRAFFIC

SC-7 (9)(a)

COMMUNICATIONS
PROTECTION
SYSTEM AND

RESTRICT THREATENING OUTGOING


COMMUNICATIONS TRAFFIC

SC-7 (9)(b)

COMMUNICATIONS
PROTECTION
SYSTEM AND

RESTRICT THREATENING OUTGOING


COMMUNICATIONS TRAFFIC

SC-7 (10)

PREVENT UNAUTHORIZED EXFILTRATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (11)

COMMUNICATIONS
PROTECTION
SYSTEM AND

RESTRICT INCOMING COMMUNICATIONS


TRAFFIC

SC-7 (12)

HOST-BASED PROTECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (13)

ISOLATION OF SECURITY TOOLS /


MECHANISMS / SUPPORT COMPONENTS

COMMUNICATIONS
PROTECTION

SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (14)

PROTECTS AGAINST UNAUTHORIZED


PHYSICAL CONNECTIONS

SC-7 (15)

ROUTE PRIVILEGED NETWORK ACCESSES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (16)

COMMUNICATIONS
PROTECTION
SYSTEM AND

PREVENT DISCOVERY OF COMPONENTS /


DEVICES

SC-7 (17)

COMMUNICATIONS
PROTECTION
SYSTEM AND

AUTOMATED ENFORCEMENT OF PROTOCOL


FORMATS

SC-7 (18)

FAIL SECURE

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (19)

COMMUNICATIONS
PROTECTION
SYSTEM AND

BLOCKS COMMUNICATION FROM NONORGANIZATIONALLY CONFIGURED HOSTS

SC-7 (20)

DYNAMIC ISOLATION / SEGREGATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-7 (21)

COMMUNICATIONS
PROTECTION
SYSTEM AND

ISOLATION OF INFORMATION SYSTEM


COMPONENTS

SC-7 (22)

COMMUNICATIONS
PROTECTION
SYSTEM AND

SEPARATE SUBNETS FOR CONNECTING TO


DIFFERENT SECURITY DOMAINS

SC-7 (23)

COMMUNICATIONS
PROTECTION
SYSTEM AND

DISABLE SENDER FEEDBACK ON PROTOCOL


VALIDATION FAILURE

SC-8

COMMUNICATIONS
PROTECTION
SYSTEM AND

TRANSMISSION CONFIDENTIALITY AND


INTEGRITY

SC-8 (1)

COMMUNICATIONS
PROTECTION
SYSTEM AND

CRYPTOGRAPHIC OR ALTERNATE PHYSICAL


PROTECTION

SC-8 (2)

PRE / POST TRANSMISSION HANDLING

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-8 (3)

COMMUNICATIONS
PROTECTION
SYSTEM AND

CRYPTOGRAPHIC PROTECTION FOR


MESSAGE EXTERNALS

SC-8 (4)

CONCEAL / RANDOMIZE COMMUNICATIONS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-9

TRANSMISSION CONFIDENTIALITY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-10

NETWORK DISCONNECT

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-11

TRUSTED PATH

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-11 (1)

LOGICAL ISOLATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-12

COMMUNICATIONS
PROTECTION
SYSTEM AND

CRYPTOGRAPHIC KEY ESTABLISHMENT AND


MANAGEMENT

SC-12 (1)

AVAILABILITY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-12 (2)

SYMMETRIC KEYS

COMMUNICATIONS
PROTECTION

SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-12 (3)

ASYMMETRIC KEYS

SC-12 (4)

PKI CERTIFICATES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-12 (5)

PKI CERTIFICATES / HARDWARE TOKENS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-13

CRYPTOGRAPHIC PROTECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-13 (1)

FIPS-VALIDATED CRYPTOGRAPHY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-13 (2)

NSA-APPROVED CRYPTOGRAPHY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-13 (3)

COMMUNICATIONS
PROTECTION
SYSTEM AND

INDIVIDUALS WITHOUT FORMAL ACCESS


APPROVALS

SC-13 (4)

DIGITAL SIGNATURES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-14

PUBLIC ACCESS PROTECTIONS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-15

COLLABORATIVE COMPUTING DEVICES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-15a.

COLLABORATIVE COMPUTING DEVICES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-15b.

COLLABORATIVE COMPUTING DEVICES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-15 (1)

PHYSICAL DISCONNECT

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-15 (2)

COMMUNICATIONS
PROTECTION
SYSTEM AND

BLOCKING INBOUND / OUTBOUND


COMMUNICATIONS TRAFFIC

SC-15 (3)

COMMUNICATIONS
PROTECTION
SYSTEM AND

DISABLING / REMOVAL IN SECURE WORK


AREAS

SC-15 (4)

COMMUNICATIONS
PROTECTION
SYSTEM AND

EXPLICITLY INDICATE CURRENT


PARTICIPANTS

SC-16

TRANSMISSION OF SECURITY ATTRIBUTES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-16 (1)

INTEGRITY VALIDATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-17

PUBLIC KEY INFRASTRUCTURE CERTIFICATES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-18

MOBILE CODE

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-18a.

MOBILE CODE

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-18b.

MOBILE CODE

COMMUNICATIONS
PROTECTION

SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-18c.

MOBILE CODE

SC-18 (1)

COMMUNICATIONS
PROTECTION
SYSTEM AND

IDENTIFY UNACCEPTABLE CODE / TAKE


CORRECTIVE ACTIONS

SC-18 (2)

ACQUISITION / DEVELOPMENT / USE

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-18 (3)

PREVENT DOWNLOADING / EXECUTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-18 (4)

PREVENT AUTOMATIC EXECUTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-18 (5)

COMMUNICATIONS
PROTECTION
SYSTEM AND

ALLOW EXECUTION ONLY IN CONFINED


ENVIRONMENTS

SC-19

VOICE OVER INTERNET PROTOCOL

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-19a.

VOICE OVER INTERNET PROTOCOL

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-19b.

VOICE OVER INTERNET PROTOCOL

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-20

COMMUNICATIONS
PROTECTION
SYSTEM AND

SECURE NAME / ADDRESS RESOLUTION


SERVICE (AUTHORITATIVE SOURCE)

SC-20a.

COMMUNICATIONS
PROTECTION
SYSTEM AND

SECURE NAME / ADDRESS RESOLUTION


SERVICE (AUTHORITATIVE SOURCE)

SC-20b.

COMMUNICATIONS
PROTECTION
SYSTEM AND

SECURE NAME / ADDRESS RESOLUTION


SERVICE (AUTHORITATIVE SOURCE)

SC-20 (1)

CHILD SUBSPACES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-20 (2)

DATA ORIGIN / INTEGRITY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-21

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-21 (1)

SECURE NAME / ADDRESS RESOLUTION


SERVICE (RECURSIVE OR CACHING
RESOLVER)
DATA ORIGIN / INTEGRITY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-22

COMMUNICATIONS
PROTECTION
SYSTEM AND

ARCHITECTURE AND PROVISIONING FOR


NAME / ADDRESS RESOLUTION SERVICE

SC-23

SESSION AUTHENTICITY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-23 (1)

COMMUNICATIONS
PROTECTION
SYSTEM AND

INVALIDATE SESSION IDENTIFIERS AT


LOGOUT

SC-23 (2)

COMMUNICATIONS
PROTECTION
SYSTEM AND

USER-INITIATED LOGOUTS / MESSAGE


DISPLAYS

SC-23 (3)

COMMUNICATIONS
PROTECTION
SYSTEM AND

UNIQUE SESSION IDENTIFIERS WITH


RANDOMIZATION

SC-23 (4)

UNIQUE SESSION IDENTIFIERS WITH


RANDOMIZATION

COMMUNICATIONS
PROTECTION

SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-23 (5)

ALLOWED CERTIFICATE AUTHORITIES

SC-24

FAIL IN KNOWN STATE

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-25

THIN NODES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-26

HONEYPOTS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-26 (1)

DETECTION OF MALICIOUS CODE

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-27

PLATFORM-INDEPENDENT APPLICATIONS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-28

PROTECTION OF INFORMATION AT REST

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-28 (1)

CRYPTOGRAPHIC PROTECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-28 (2)

OFF-LINE STORAGE

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-29

HETEROGENEITY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-29 (1)

VIRTUALIZATION TECHNIQUES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-30

CONCEALMENT AND MISDIRECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-30 (1)

VIRTUALIZATION TECHNIQUES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-30 (2)

RANDOMNESS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-30 (3)

COMMUNICATIONS
PROTECTION
SYSTEM AND

CHANGE PROCESSING / STORAGE


LOCATIONS

SC-30 (4)

MISLEADING INFORMATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-30 (5)

CONCEALMENT OF SYSTEM COMPONENTS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-31

COVERT CHANNEL ANALYSIS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-31a.

COVERT CHANNEL ANALYSIS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-31b.

COVERT CHANNEL ANALYSIS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-31 (1)

COMMUNICATIONS
PROTECTION
SYSTEM AND

TEST COVERT CHANNELS FOR


EXPLOITABILITY

SC-31 (2)

MAXIMUM BANDWIDTH

COMMUNICATIONS
PROTECTION

SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-31 (3)

MEASURE BANDWIDTH IN OPERATIONAL


ENVIRONMENTS

SC-32

INFORMATION SYSTEM PARTITIONING

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-33

TRANSMISSION PREPARATION INTEGRITY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-34

NON-MODIFIABLE EXECUTABLE PROGRAMS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-34a.

NON-MODIFIABLE EXECUTABLE PROGRAMS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-34b.

NON-MODIFIABLE EXECUTABLE PROGRAMS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-34 (1)

NO WRITABLE STORAGE

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-34 (2)

INTEGRITY PROTECTION / READ-ONLY MEDIA

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-34 (3)

HARDWARE-BASED PROTECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-34 (3)(a)

HARDWARE-BASED PROTECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-34 (3)(b)

HARDWARE-BASED PROTECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-35

HONEYCLIENTS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-36

DISTRIBUTED PROCESSING AND STORAGE

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-36 (1)

POLLING TECHNIQUES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-37

OUT-OF-BAND CHANNELS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-37 (1)

ENSURE DELIVERY / TRANSMISSION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-38

OPERATIONS SECURITY

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-39

PROCESS ISOLATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-39 (1)

HARDWARE SEPARATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-39 (2)

THREAD ISOLATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-40

WIRELESS LINK PROTECTION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-40 (1)

ELECTROMAGNETIC INTERFERENCE

COMMUNICATIONS
PROTECTION

SYSTEM AND
COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-40 (2)

REDUCE DETECTION POTENTIAL

SC-40 (3)

COMMUNICATIONS
PROTECTION
SYSTEM AND

IMITATIVE OR MANIPULATIVE
COMMUNICATIONS DECEPTION

SC-40 (4)

SIGNAL PARAMETER IDENTIFICATION

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-41

PORT AND I/O DEVICE ACCESS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-42

SENSOR CAPABILITY AND DATA

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-42a.

SENSOR CAPABILITY AND DATA

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-42b.

SENSOR CAPABILITY AND DATA

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-42 (1)

COMMUNICATIONS
PROTECTION
SYSTEM AND

REPORTING TO AUTHORIZED INDIVIDUALS


OR ROLES

SC-42 (2)

AUTHORIZED USE

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-42 (3)

PROHIBIT USE OF DEVICES

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-43

USAGE RESTRICTIONS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-43a.

USAGE RESTRICTIONS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-43b.

USAGE RESTRICTIONS

COMMUNICATIONS
PROTECTION
SYSTEM AND

SC-44

DETONATION CHAMBERS

COMMUNICATIONS
PROTECTION
SYSTEM AND INFORMATION SI-1
INTEGRITY

SYSTEM AND INFORMATION INTEGRITY


POLICY AND PROCEDURES

SYSTEM AND INFORMATION SI-1a.


INTEGRITY

SYSTEM AND INFORMATION INTEGRITY


POLICY AND PROCEDURES

SYSTEM AND INFORMATION SI-1a.1.


INTEGRITY

SYSTEM AND INFORMATION INTEGRITY


POLICY AND PROCEDURES

SYSTEM AND INFORMATION SI-1a.2.


INTEGRITY

SYSTEM AND INFORMATION INTEGRITY


POLICY AND PROCEDURES

SYSTEM AND INFORMATION SI-1b.


INTEGRITY

SYSTEM AND INFORMATION INTEGRITY


POLICY AND PROCEDURES

SYSTEM AND INFORMATION SI-1b.1.


INTEGRITY

SYSTEM AND INFORMATION INTEGRITY


POLICY AND PROCEDURES

SYSTEM AND INFORMATION SI-1b.2.


INTEGRITY

SYSTEM AND INFORMATION INTEGRITY


POLICY AND PROCEDURES

SYSTEM AND INFORMATION SI-2


INTEGRITY

FLAW REMEDIATION

SYSTEM AND INFORMATION SI-2a.


INTEGRITY

FLAW REMEDIATION

SYSTEM AND INFORMATION SI-2b.


INTEGRITY

FLAW REMEDIATION

SYSTEM AND INFORMATION SI-2c.


INTEGRITY

FLAW REMEDIATION

SYSTEM AND INFORMATION SI-2d.


INTEGRITY

FLAW REMEDIATION

SYSTEM AND INFORMATION SI-2 (1)


INTEGRITY

CENTRAL MANAGEMENT

SYSTEM AND INFORMATION SI-2 (2)


INTEGRITY

AUTOMATED FLAW REMEDIATION STATUS

SYSTEM AND INFORMATION SI-2 (3)


INTEGRITY

TIME TO REMEDIATE FLAWS / BENCHMARKS


FOR CORRECTIVE ACTIONS

SYSTEM AND INFORMATION SI-2 (3)(a)


INTEGRITY

TIME TO REMEDIATE FLAWS / BENCHMARKS


FOR CORRECTIVE ACTIONS

SYSTEM AND INFORMATION SI-2 (3)(b)


INTEGRITY

TIME TO REMEDIATE FLAWS / BENCHMARKS


FOR CORRECTIVE ACTIONS

SYSTEM AND INFORMATION SI-2 (4)


INTEGRITY

AUTOMATED PATCH MANAGEMENT TOOLS

SYSTEM AND INFORMATION SI-2 (5)


INTEGRITY

AUTOMATIC SOFTWARE / FIRMWARE


UPDATES

SYSTEM AND INFORMATION SI-2 (6)


INTEGRITY

REMOVAL OF PREVIOUS VERSIONS OF


SOFTWARE / FIRMWARE

SYSTEM AND INFORMATION SI-3


INTEGRITY

MALICIOUS CODE PROTECTION

SYSTEM AND INFORMATION SI-3a.


INTEGRITY

MALICIOUS CODE PROTECTION

SYSTEM AND INFORMATION SI-3b.


INTEGRITY

MALICIOUS CODE PROTECTION

SYSTEM AND INFORMATION SI-3c.


INTEGRITY

MALICIOUS CODE PROTECTION

SYSTEM AND INFORMATION SI-3c.1.


INTEGRITY

MALICIOUS CODE PROTECTION

SYSTEM AND INFORMATION SI-3c.2.


INTEGRITY

MALICIOUS CODE PROTECTION

SYSTEM AND INFORMATION SI-3d.


INTEGRITY

MALICIOUS CODE PROTECTION

SYSTEM AND INFORMATION SI-3 (1)


INTEGRITY

CENTRAL MANAGEMENT

SYSTEM AND INFORMATION SI-3 (2)


INTEGRITY

AUTOMATIC UPDATES

SYSTEM AND INFORMATION SI-3 (3)


INTEGRITY

NON-PRIVILEGED USERS

SYSTEM AND INFORMATION SI-3 (4)


INTEGRITY

UPDATES ONLY BY PRIVILEGED USERS

SYSTEM AND INFORMATION SI-3 (5)


INTEGRITY

PORTABLE STORAGE DEVICES

SYSTEM AND INFORMATION SI-3 (6)


INTEGRITY

TESTING / VERIFICATION

SYSTEM AND INFORMATION SI-3 (6)(a)


INTEGRITY

TESTING / VERIFICATION

SYSTEM AND INFORMATION SI-3 (6)(b)


INTEGRITY

TESTING / VERIFICATION

SYSTEM AND INFORMATION SI-3 (7)


INTEGRITY

NONSIGNATURE-BASED DETECTION

SYSTEM AND INFORMATION SI-3 (8)


INTEGRITY

DETECT UNAUTHORIZED COMMANDS

SYSTEM AND INFORMATION SI-3 (9)


INTEGRITY

AUTHENTICATE REMOTE COMMANDS

SYSTEM AND INFORMATION SI-3 (10)


INTEGRITY

MALICIOUS CODE ANALYSIS

SYSTEM AND INFORMATION SI-3 (10)(a)


INTEGRITY

MALICIOUS CODE ANALYSIS

SYSTEM AND INFORMATION SI-3 (10)(b)


INTEGRITY

MALICIOUS CODE ANALYSIS

SYSTEM AND INFORMATION SI-4


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4a.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4a.1.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4a.2.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4b.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4c.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4c.1.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4c.2.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4d.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4e.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4f.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4g.


INTEGRITY

INFORMATION SYSTEM MONITORING

SYSTEM AND INFORMATION SI-4 (1)


INTEGRITY

SYSTEM-WIDE INTRUSION DETECTION


SYSTEM

SYSTEM AND INFORMATION SI-4 (2)


INTEGRITY

AUTOMATED TOOLS FOR REAL-TIME


ANALYSIS

SYSTEM AND INFORMATION SI-4 (3)


INTEGRITY

AUTOMATED TOOL INTEGRATION

SYSTEM AND INFORMATION SI-4 (4)


INTEGRITY

INBOUND AND OUTBOUND


COMMUNICATIONS TRAFFIC

SYSTEM AND INFORMATION SI-4 (5)


INTEGRITY

SYSTEM-GENERATED ALERTS

SYSTEM AND INFORMATION SI-4 (6)


INTEGRITY

RESTRICT NON-PRIVILEGED USERS

SYSTEM AND INFORMATION SI-4 (7)


INTEGRITY

AUTOMATED RESPONSE TO SUSPICIOUS


EVENTS

SYSTEM AND INFORMATION SI-4 (8)


INTEGRITY

PROTECTION OF MONITORING INFORMATION

SYSTEM AND INFORMATION SI-4 (9)


INTEGRITY

TESTING OF MONITORING TOOLS

SYSTEM AND INFORMATION SI-4 (10)


INTEGRITY

VISIBILITY OF ENCRYPTED COMMUNICATIONS

SYSTEM AND INFORMATION SI-4 (11)


INTEGRITY

ANALYZE COMMUNICATIONS TRAFFIC


ANOMALIES

SYSTEM AND INFORMATION SI-4 (12)


INTEGRITY

AUTOMATED ALERTS

SYSTEM AND INFORMATION SI-4 (13)


INTEGRITY

ANALYZE TRAFFIC / EVENT PATTERNS

SYSTEM AND INFORMATION SI-4 (13)(a)


INTEGRITY

ANALYZE TRAFFIC / EVENT PATTERNS

SYSTEM AND INFORMATION SI-4 (13)(b)


INTEGRITY

ANALYZE TRAFFIC / EVENT PATTERNS

SYSTEM AND INFORMATION SI-4 (13)(c)


INTEGRITY

ANALYZE TRAFFIC / EVENT PATTERNS

SYSTEM AND INFORMATION SI-4 (14)


INTEGRITY

WIRELESS INTRUSION DETECTION

SYSTEM AND INFORMATION SI-4 (15)


INTEGRITY

WIRELESS TO WIRELINE COMMUNICATIONS

SYSTEM AND INFORMATION SI-4 (16)


INTEGRITY

CORRELATE MONITORING INFORMATION

SYSTEM AND INFORMATION SI-4 (17)


INTEGRITY

INTEGRATED SITUATIONAL AWARENESS

SYSTEM AND INFORMATION SI-4 (18)


INTEGRITY

ANALYZE TRAFFIC / COVERT EXFILTRATION

SYSTEM AND INFORMATION SI-4 (19)


INTEGRITY

INDIVIDUALS POSING GREATER RISK

SYSTEM AND INFORMATION SI-4 (20)


INTEGRITY

PRIVILEGED USERS

SYSTEM AND INFORMATION SI-4 (21)


INTEGRITY

PROBATIONARY PERIODS

SYSTEM AND INFORMATION SI-4 (22)


INTEGRITY

UNAUTHORIZED NETWORK SERVICES

SYSTEM AND INFORMATION SI-4 (23)


INTEGRITY

HOST-BASED DEVICES

SYSTEM AND INFORMATION SI-4 (24)


INTEGRITY

INDICATORS OF COMPROMISE

SYSTEM AND INFORMATION SI-5


INTEGRITY

SECURITY ALERTS, ADVISORIES, AND


DIRECTIVES

SYSTEM AND INFORMATION SI-5a.


INTEGRITY

SECURITY ALERTS, ADVISORIES, AND


DIRECTIVES

SYSTEM AND INFORMATION SI-5b.


INTEGRITY

SECURITY ALERTS, ADVISORIES, AND


DIRECTIVES

SYSTEM AND INFORMATION SI-5c.


INTEGRITY

SECURITY ALERTS, ADVISORIES, AND


DIRECTIVES

SYSTEM AND INFORMATION SI-5d.


INTEGRITY

SECURITY ALERTS, ADVISORIES, AND


DIRECTIVES

SYSTEM AND INFORMATION SI-5 (1)


INTEGRITY

AUTOMATED ALERTS AND ADVISORIES

SYSTEM AND INFORMATION SI-6


INTEGRITY

SECURITY FUNCTION VERIFICATION

SYSTEM AND INFORMATION SI-6a.


INTEGRITY

SECURITY FUNCTION VERIFICATION

SYSTEM AND INFORMATION SI-6b.


INTEGRITY

SECURITY FUNCTION VERIFICATION

SYSTEM AND INFORMATION SI-6c.


INTEGRITY

SECURITY FUNCTION VERIFICATION

SYSTEM AND INFORMATION SI-6d.


INTEGRITY

SECURITY FUNCTION VERIFICATION

SYSTEM AND INFORMATION SI-6 (1)


INTEGRITY

NOTIFICATION OF FAILED SECURITY TESTS

SYSTEM AND INFORMATION SI-6 (2)


INTEGRITY

AUTOMATION SUPPORT FOR DISTRIBUTED


TESTING

SYSTEM AND INFORMATION SI-6 (3)


INTEGRITY

REPORT VERIFICATION RESULTS

SYSTEM AND INFORMATION SI-7


INTEGRITY

SOFTWARE, FIRMWARE, AND INFORMATION


INTEGRITY

SYSTEM AND INFORMATION SI-7 (1)


INTEGRITY

INTEGRITY CHECKS

SYSTEM AND INFORMATION SI-7 (2)


INTEGRITY

AUTOMATED NOTIFICATIONS OF INTEGRITY


VIOLATIONS

SYSTEM AND INFORMATION SI-7 (3)


INTEGRITY

CENTRALLY-MANAGED INTEGRITY TOOLS

SYSTEM AND INFORMATION SI-7 (4)


INTEGRITY

TAMPER-EVIDENT PACKAGING

SYSTEM AND INFORMATION SI-7 (5)


INTEGRITY

AUTOMATED RESPONSE TO INTEGRITY


VIOLATIONS

SYSTEM AND INFORMATION SI-7 (6)


INTEGRITY

CRYPTOGRAPHIC PROTECTION

SYSTEM AND INFORMATION SI-7 (7)


INTEGRITY

INTEGRATION OF DETECTION AND


RESPONSE

SYSTEM AND INFORMATION SI-7 (8)


INTEGRITY

AUDITING CAPABILITY FOR SIGNIFICANT


EVENTS

SYSTEM AND INFORMATION SI-7 (9)


INTEGRITY

VERIFY BOOT PROCESS

SYSTEM AND INFORMATION SI-7 (10)


INTEGRITY

PROTECTION OF BOOT FIRMWARE

SYSTEM AND INFORMATION SI-7 (11)


INTEGRITY

CONFINED ENVIRONMENTS WITH LIMITED


PRIVILEGES

SYSTEM AND INFORMATION SI-7 (12)


INTEGRITY

INTEGRITY VERIFICATION

SYSTEM AND INFORMATION SI-7 (13)


INTEGRITY

CODE EXECUTION IN PROTECTED


ENVIRONMENTS

SYSTEM AND INFORMATION SI-7 (14)


INTEGRITY

BINARY OR MACHINE EXECUTABLE CODE

SYSTEM AND INFORMATION SI-7 (14)(a)


INTEGRITY

BINARY OR MACHINE EXECUTABLE CODE

SYSTEM AND INFORMATION SI-7 (14)(b)


INTEGRITY

BINARY OR MACHINE EXECUTABLE CODE

SYSTEM AND INFORMATION SI-7 (15)


INTEGRITY

CODE AUTHENTICATION

SYSTEM AND INFORMATION SI-7 (16)


INTEGRITY

TIME LIMIT ON PROCESS EXECUTION W/O


SUPERVISION

SYSTEM AND INFORMATION SI-8


INTEGRITY

SPAM PROTECTION

SYSTEM AND INFORMATION SI-8a.


INTEGRITY

SPAM PROTECTION

SYSTEM AND INFORMATION SI-8b.


INTEGRITY

SPAM PROTECTION

SYSTEM AND INFORMATION SI-8 (1)


INTEGRITY

CENTRAL MANAGEMENT

SYSTEM AND INFORMATION SI-8 (2)


INTEGRITY

AUTOMATIC UPDATES

SYSTEM AND INFORMATION SI-8 (3)


INTEGRITY

CONTINUOUS LEARNING CAPABILITY

SYSTEM AND INFORMATION SI-9


INTEGRITY

INFORMATION INPUT RESTRICTIONS

SYSTEM AND INFORMATION SI-10


INTEGRITY

INFORMATION INPUT VALIDATION

SYSTEM AND INFORMATION SI-10 (1)


INTEGRITY

MANUAL OVERRIDE CAPABILITY

SYSTEM AND INFORMATION SI-10 (1)(a)


INTEGRITY

MANUAL OVERRIDE CAPABILITY

SYSTEM AND INFORMATION SI-10 (1)(b)


INTEGRITY

MANUAL OVERRIDE CAPABILITY

SYSTEM AND INFORMATION SI-10 (1)(c)


INTEGRITY

MANUAL OVERRIDE CAPABILITY

SYSTEM AND INFORMATION SI-10 (2)


INTEGRITY

REVIEW / RESOLUTION OF ERRORS

SYSTEM AND INFORMATION SI-10 (3)


INTEGRITY

PREDICTABLE BEHAVIOR

SYSTEM AND INFORMATION SI-10 (4)


INTEGRITY

REVIEW / TIMING INTERACTIONS

SYSTEM AND INFORMATION SI-10 (5)


INTEGRITY

RESTRICT INPUTS TO TRUSTED SOURCES


AND APPROVED FORMATS

SYSTEM AND INFORMATION SI-11


INTEGRITY

ERROR HANDLING

SYSTEM AND INFORMATION SI-11a.


INTEGRITY

ERROR HANDLING

SYSTEM AND INFORMATION SI-11b.


INTEGRITY

ERROR HANDLING

SYSTEM AND INFORMATION SI-12


INTEGRITY

INFORMATION HANDLING AND RETENTION

SYSTEM AND INFORMATION SI-13


INTEGRITY

PREDICTABLE FAILURE PREVENTION

SYSTEM AND INFORMATION SI-13a.


INTEGRITY

PREDICTABLE FAILURE PREVENTION

SYSTEM AND INFORMATION SI-13b.


INTEGRITY

PREDICTABLE FAILURE PREVENTION

SYSTEM AND INFORMATION SI-13 (1)


INTEGRITY

TRANSFERRING COMPONENT
RESPONSIBILITIES

SYSTEM AND INFORMATION SI-13 (2)


INTEGRITY

TIME LIMIT ON PROCESS EXECUTION


WITHOUT SUPERVISION

SYSTEM AND INFORMATION SI-13 (3)


INTEGRITY

MANUAL TRANSFER BETWEEN COMPONENTS

SYSTEM AND INFORMATION SI-13 (4)


INTEGRITY

STANDBY COMPONENT INSTALLATION /


NOTIFICATION

SYSTEM AND INFORMATION SI-13 (4)(a)


INTEGRITY

STANDBY COMPONENT INSTALLATION /


NOTIFICATION

SYSTEM AND INFORMATION SI-13 (4)(b)


INTEGRITY

STANDBY COMPONENT INSTALLATION /


NOTIFICATION

SYSTEM AND INFORMATION SI-13 (5)


INTEGRITY

FAILOVER CAPABILITY

SYSTEM AND INFORMATION SI-14


INTEGRITY

NON-PERSISTENCE

SYSTEM AND INFORMATION SI-14 (1)


INTEGRITY

REFRESH FROM TRUSTED SOURCES

SYSTEM AND INFORMATION SI-15


INTEGRITY

INFORMATION OUTPUT FILTERING

SYSTEM AND INFORMATION SI-16


INTEGRITY

MEMORY PROTECTION

SYSTEM AND INFORMATION SI-17


INTEGRITY

FAIL-SAFE PROCEDURES

PROGRAM MANAGEMENT

PM-1

INFORMATION SECURITY PROGRAM PLAN

PROGRAM MANAGEMENT

PM-1a.

INFORMATION SECURITY PROGRAM PLAN

PROGRAM MANAGEMENT

PM-1a.1.

INFORMATION SECURITY PROGRAM PLAN

PROGRAM MANAGEMENT

PM-1a.2.

INFORMATION SECURITY PROGRAM PLAN

PROGRAM MANAGEMENT

PM-1a.3.

INFORMATION SECURITY PROGRAM PLAN

PROGRAM MANAGEMENT

PM-1a.4.

INFORMATION SECURITY PROGRAM PLAN

PROGRAM MANAGEMENT

PM-1b.

INFORMATION SECURITY PROGRAM PLAN

PROGRAM MANAGEMENT

PM-1c.

INFORMATION SECURITY PROGRAM PLAN

PROGRAM MANAGEMENT

PM-1d.

INFORMATION SECURITY PROGRAM PLAN

PROGRAM MANAGEMENT

PM-2

SENIOR INFORMATION SECURITY OFFICER

PROGRAM MANAGEMENT

PM-3

INFORMATION SECURITY RESOURCES

PROGRAM MANAGEMENT

PM-3a.

INFORMATION SECURITY RESOURCES

PROGRAM MANAGEMENT

PM-3b.

INFORMATION SECURITY RESOURCES

PROGRAM MANAGEMENT

PM-3c.

INFORMATION SECURITY RESOURCES

PROGRAM MANAGEMENT

PM-4

PLAN OF ACTION AND MILESTONES


PROCESS

PROGRAM MANAGEMENT

PM-4a.

PLAN OF ACTION AND MILESTONES


PROCESS

PROGRAM MANAGEMENT

PM-4a.1.

PLAN OF ACTION AND MILESTONES


PROCESS

PROGRAM MANAGEMENT

PM-4a.2.

PLAN OF ACTION AND MILESTONES


PROCESS

PROGRAM MANAGEMENT

PM-4a.3.

PLAN OF ACTION AND MILESTONES


PROCESS

PROGRAM MANAGEMENT

PM-4b.

PLAN OF ACTION AND MILESTONES


PROCESS

PROGRAM MANAGEMENT

PM-5

INFORMATION SYSTEM INVENTORY

PROGRAM MANAGEMENT

PM-6

INFORMATION SECURITY MEASURES OF


PERFORMANCE

PROGRAM MANAGEMENT

PM-7

ENTERPRISE ARCHITECTURE

PROGRAM MANAGEMENT

PM-8

CRITICAL INFRASTRUCTURE PLAN

PROGRAM MANAGEMENT

PM-9

RISK MANAGEMENT STRATEGY

PROGRAM MANAGEMENT

PM-9a.

RISK MANAGEMENT STRATEGY

PROGRAM MANAGEMENT

PM-9b.

RISK MANAGEMENT STRATEGY

PROGRAM MANAGEMENT

PM-9c.

RISK MANAGEMENT STRATEGY

PROGRAM MANAGEMENT

PM-10

SECURITY AUTHORIZATION PROCESS

PROGRAM MANAGEMENT

PM-10a.

SECURITY AUTHORIZATION PROCESS

PROGRAM MANAGEMENT

PM-10b.

SECURITY AUTHORIZATION PROCESS

PROGRAM MANAGEMENT

PM-10c.

SECURITY AUTHORIZATION PROCESS

PROGRAM MANAGEMENT

PM-11

MISSION/BUSINESS PROCESS DEFINITION

PROGRAM MANAGEMENT

PM-11a.

MISSION/BUSINESS PROCESS DEFINITION

PROGRAM MANAGEMENT

PM-11b.

MISSION/BUSINESS PROCESS DEFINITION

PROGRAM MANAGEMENT

PM-12

INSIDER THREAT PROGRAM

PROGRAM MANAGEMENT

PM-13

INFORMATION SECURITY WORKFORCE

PROGRAM MANAGEMENT

PM-14

TESTING, TRAINING, AND MONITORING

PROGRAM MANAGEMENT

PM-14a.

TESTING, TRAINING, AND MONITORING

PROGRAM MANAGEMENT

PM-14a.1.

TESTING, TRAINING, AND MONITORING

PROGRAM MANAGEMENT

PM-14a.2.

TESTING, TRAINING, AND MONITORING

PROGRAM MANAGEMENT

PM-14b.

TESTING, TRAINING, AND MONITORING

PROGRAM MANAGEMENT

PM-15

CONTACTS WITH SECURITY GROUPS AND


ASSOCIATIONS

PROGRAM MANAGEMENT

PM-15a.

CONTACTS WITH SECURITY GROUPS AND


ASSOCIATIONS

PROGRAM MANAGEMENT

PM-15b.

CONTACTS WITH SECURITY GROUPS AND


ASSOCIATIONS

PROGRAM MANAGEMENT

PM-15c.

CONTACTS WITH SECURITY GROUPS AND


ASSOCIATIONS

PROGRAM MANAGEMENT

PM-16

THREAT AWARENESS PROGRAM

PRIORITY

BASELINE-IMPACT

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P3

HIGH

P3

MODERATE,HIGH

P3

MODERATE,HIGH

P3

MODERATE,HIGH

P3

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P2

MODERATE,HIGH

P3

MODERATE,HIGH

P4

MODERATE,HIGH

P5

MODERATE,HIGH

P6

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

MODERATE,HIGH

P2

HIGH

P2

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

HIGH

P2

HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1
P1
P1
P1
P1
P1
P1

LOW,MODERATE,HIGH

P1
P1
P1
P1
P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE

P1

MODERATE

P1

MODERATE

P1

MODERATE

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

HIGH

P2

HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

MODERATE,HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

HIGH

P2

HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P3

MODERATE,HIGH

P3

MODERATE,HIGH

P3

MODERATE,HIGH

P3

HIGH

P3

HIGH

P3

HIGH

P3

HIGH

P3

HIGH

P3

HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

MODERATE,HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

HIGH

P3

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P2

LOW,MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P3

HIGH

P3

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P0

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P3

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P0

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P2

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P2

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P0

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

LOW,MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P1

HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P1

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

MODERATE,HIGH

P2

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P0

LOW,MODERATE,HIGH

P1

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

P0

MODERATE,HIGH

DESCRIPTION
The organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
An access control policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination
among
organizational
and compliance;
and
Procedures
to facilitateentities,
the implementation
of the
access
control policy and associated access controls; and
Reviews and updates the current:
Access control policy [Assignment: organization-defined
frequency]; and
Access control procedures [Assignment: organization-defined
frequency].
The organization:
Identifies and selects the following types of information system
accounts to support organizational missions/business functions:
[Assignment:
organization-defined
information
system
account
Assigns account
managers for information
system
accounts;
types];
Establishes conditions for group and role membership;
Specifies authorized users of the information system, group
and role membership, and access authorizations (i.e.,
privileges)
and other
(as required)
for each account;
Requires approvals
byattributes
[Assignment:
organization-defined
personnel or roles] for requests to create information system
accounts;
Creates, enables, modifies, disables, and removes information
system accounts in accordance with [Assignment: organizationdefined
or conditions];
Monitorsprocedures
the use of information
system accounts;
Notifies account managers:
When accounts are no longer required;
When users are terminated or transferred; and
When individual information system usage or need-to-know
changes;
Authorizes access to the information system based on:
A valid access authorization;

Intended system usage; and


Other attributes as required by the organization or associated
missions/business functions;
Reviews accounts for compliance with account management
requirements [Assignment: organization-defined frequency];
and
Establishes a process for reissuing shared/group account
credentials (if deployed) when individuals are removed from
the
The group.
organization employs automated mechanisms to support
the management of information system accounts.
The information system automatically [Selection: removes;
disables] temporary and emergency accounts after
[Assignment:
organization-defined
time
period for
each type of
The information
system automatically
disables
inactive
account].
accounts after [Assignment: organization-defined time period].
The information system automatically audits account creation,
modification, enabling, disabling, and removal actions, and
notifies
[Assignment:
organization-defined
or roles].
The organization
requires
that users log outpersonnel
when [Assignment:
organization-defined time-period of expected inactivity or
description
of when
to log
out].
The information
system
implements
the following dynamic
privilege management capabilities: [Assignment: organizationdefined
list of dynamic privilege management capabilities].
The organization:
Establishes and administers privileged user accounts in
accordance with a role-based access scheme that organizes
allowed
system
access and
privileges into roles;
Monitorsinformation
privileged role
assignments;
and
Takes [Assignment: organization-defined actions] when
privileged role assignments are no longer appropriate.
The information system creates [Assignment: organizationdefined information system accounts] dynamically.
The organization only permits the use of shared/group accounts
that meet [Assignment: organization-defined conditions for
establishing
shared/group
accounts].
The information
system terminates
shared/group account
credentials when members leave the group.
The information system enforces [Assignment: organizationdefined circumstances and/or usage conditions] for
[Assignment:
organization-defined information system
The organization:
accounts].
Monitors information system accounts for [Assignment:
organization-defined atypical usage]; and
Reports atypical usage of information system accounts to
[Assignment: organization-defined personnel or roles].
The organization disables accounts of users posing a significant
risk within [Assignment: organization-defined time period] of
discovery of the risk.

The information system enforces approved authorizations for


logical access to information
and system resources in
accordance
with
applicable
access
control
policies.
[Withdrawn: Incorporated into AC-6].
The information system enforces dual authorization for
[Assignment: organization-defined privileged commands and/or
other
organization-defined
actions].
The information
system enforces
[Assignment: organizationdefined mandatory access control policy] over all subjects and
objects
where
the policy:
Is uniformly
enforced
across all subjects and objects within the
boundary of the information system;
Specifies that a subject that has been granted access to
information is constrained from doing any of the following;
Passing the information to unauthorized subjects or objects;
Granting its privileges to other subjects;
Changing one or more security attributes on subjects, objects,
the information system, or information system components;
Choosing the security attributes and attribute values to be
associated with newly created or modified objects; or
Changing the rules governing access control; and
Specifies that [Assignment: organization-defined subjects] may
explicitly be granted [Assignment: organization-defined
privileges
(i.e., they
are enforces
trusted subjects)]
suchorganizationthat they are
The information
system
[Assignment:
not
limited
by
some
or
all
of
the
above
constraints.
defined discretionary access control policy] over defined
subjects
objects where
policy
specifies
that a subject
Pass the and
information
to anythe
other
subjects
or objects;
that has been granted access to information can do one or
more of the following:
Grant its privileges to other subjects;
Change security attributes on subjects, objects, the information
system, or the information systems components;
Choose the security attributes to be associated with newly
created or revised objects; or
Change the rules governing access control.
The information system prevents access to [Assignment:
organization-defined security-relevant information] except
during
secure,
non-operable
system
states.
[Withdrawn:
Incorporated
into
MP-4 and
SC-28].
The information system enforces a role-based access control
policy over defined subjects and objects and controls access
based
upon [Assignment:
organization-defined
and users
The information
system enforces
the revocationroles
of access
authorized
to
assume
such
roles].
authorizations resulting from changes to the security attributes
of subjects and objects based on [Assignment: organizationdefined rules governing the timing of revocations of access
authorizations].

The information system does not release information outside of


the established system boundary unless:
The receiving [Assignment: organization-defined information
system or system component] provides [Assignment:
organization-defined
security safeguards];
[Assignment: organization-defined
securityand
safeguards] are
used to validate the appropriateness of the information
designated
for release.
The organization
employs an audited override of automated
access control mechanisms under [Assignment: organizationdefined
conditions].
The information
system enforces approved authorizations for
controlling the flow of information within the system and
between
interconnected
systems
based on organization[Assignment:
The information
system uses
[Assignment:
organization-defined
information
flow
control
policies].
defined security attributes] associated with [Assignment:
organization-defined
information,
source,
and destination
The information system
uses protected
processing
domains to
objects]
to
enforce
[Assignment:
organization-defined
enforce [Assignment: organization-defined information flow
information
flow as
control
policies]
ascontrol
a basis for flow control
control
policies]
a basis
for flow
The
information
system
enforces
dynamic decisions.
information flow
decisions.
control based on [Assignment: organization-defined policies].
The information system prevents encrypted information from
bypassing content-checking mechanisms by [Selection (one or
more):
decrypting
the information;
blocking theorganizationflow of the
The information
system
enforces [Assignment:
encrypted
information;
terminating
communications
defined limitations] on embedding data types within sessions
other data
attempting
to pass encrypted information; [Assignment:
types.
The
information system
enforcesorinformation
organization-defined
procedure
method]]. flow control based
on [Assignment: organization-defined metadata].
The information system enforces [Assignment: organizationdefined one-way information flows] using hardware
mechanisms.
The information system enforces information flow control using
[Assignment: organization-defined security policy filters] as a
basis
for flow control
decisions
forthe
[Assignment:
organizationThe information
system
enforces
use of human
reviews for
defined
information
flows].
[Assignment: organization-defined information flows] under the
following
conditions:
[Assignment:
organization-defined
The information
system
provides the
capability for privileged
conditions].
administrators to enable/disable [Assignment: organizationdefined
security system
policy filters]
under
following
The information
provides
thethe
capability
forconditions:
privileged
[Assignment:
organization-defined
conditions].
administrators to configure [Assignment: organization-defined
security
policy filters]
to support
different security
policies.
The information
system,
when transferring
information
between different security domains, uses [Assignment:
organization-defined
datawhen
type transferring
identifiers] to
validate data
The information system,
information
essential
for
information
flow
decisions.
between different security domains, decomposes information
into
[Assignment:
organization-defined
policy-relevant
The information
system,
when transferring
information
subcomponents]
for
submission
to
policy
enforcement
between different security domains, implements
[Assignment:
mechanisms.
organization-defined
security
policy
filters]
requiring
fully
The information system, when transferring information
enumerated
formats
that
restrict
data
structure
and
content.
between different security domains, examines the information
for
the presence
of [Assignment:
organized-defined
[Withdrawn:
Incorporated
into AC-4].
unsanctioned information] and prohibits the transfer of such
information in accordance with the [Assignment: organizationThe
information
defined
security system
policy]. uniquely identifies and authenticates
source and destination points by [Selection (one or more):
organization, system, application, individual] for information
transfer.

The information system binds security attributes to information


using [Assignment: organization-defined binding techniques] to
facilitate
information
flowwhen
policy
enforcement.
The information
system,
transferring
information
between different security domains, applies the same security
policy
filtering to employs
metadata[Assignment:
as it applies organization-defined
to data payloads.
The organization
solutions in approved configurations] to control the flow of
[Assignment:
organization-defined
information]flows
across
security
The information
system separates information
logically
or
domains.
physically using [Assignment: organization-defined
mechanisms
and/or
techniques]
accomplish
The information
system
providesto
access
from a[Assignment:
single device to
organization-defined
required
separations
types on
of multiple
computing platforms, applications, or databy
residing
information].
different
security domains, while preventing any information
The organization:
flow between the different security domains.
Separates [Assignment: organization-defined duties of
individuals];
Documents separation of duties of individuals; and
Defines information system access authorizations to support
separation of duties.
The organization employs the principle of least privilege,
allowing only authorized accesses for users (or processes
acting
on behalf of
users) which
are necessary
accomplish
The organization
explicitly
authorizes
access toto
[Assignment:
assigned
tasks
in
accordance
with
organizational
missions
and
organization-defined security functions (deployed in hardware,
business
functions.
software,
and firmware)
and
security-relevant
information].
The organization
requires
that
users of information
system
accounts, or roles, with access to [Assignment: organizationdefined
security functions
ornetwork
security-relevant
The organization
authorizes
access to information],
[Assignment:use
non-privileged
accounts
or
roles,
when
accessing
nonsecurity
organization-defined privileged commands] only for
functions.
[Assignment:
organization-defined
compelling
operational
The information
system provides separate
processing
domains
needs]
and
documents
the
rationale
for
such
access
in
the
to enable finer-grained allocation of user privileges.
security plan for the information system.
The organization restricts privileged accounts on the
information system to [Assignment: organization-defined
personnel
or roles].
The organization
prohibits privileged access to the information
system by non-organizational users.
The organization:
Reviews [Assignment: organization-defined frequency] the
privileges assigned to [Assignment: organization-defined roles
or
classes of
to privileges,
validate theif need
for such
Reassigns
or users]
removes
necessary,
to privileges;
correctly
and
reflect organizational mission/business needs.
The information system prevents [Assignment: organizationdefined software] from executing at higher privilege levels than
users
executing the
software.
The information
system
audits the execution of privileged
functions.
The information system prevents non-privileged users from
executing privileged functions to include disabling,
circumventing, or altering implemented security
safeguards/countermeasures.

The information system:


Enforces a limit of [Assignment: organization-defined number]
consecutive invalid logon attempts by a user during a
[Assignment:
period]; and
Automatically organization-defined
[Selection: locks the time
account/node
for an
[Assignment: organization-defined time period]; locks the
account/node
until released
byAC-7].
an administrator; delays next
[Withdrawn: Incorporated
into
logon prompt according to [Assignment: organization-defined
delay algorithm]] when the maximum number of unsuccessful
The
information
system purges/wipes information from
attempts
is exceeded.
[Assignment: organization-defined mobile devices] based on
[Assignment:
organization-defined
purging/wiping
The information
system:
requirements/techniques] after [Assignment: organizationdefined number] consecutive, unsuccessful device logon
Displays
attempts.to users [Assignment: organization-defined system
use notification message or banner] before granting access to
the
system
that provides
and security
notices
Users
are accessing
a U.S.privacy
Government
information
system;
consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance and
Information
states that: system usage may be monitored, recorded, and
subject to audit;
Unauthorized use of the information system is prohibited and
subject to criminal and civil penalties; and
Use of the information system indicates consent to monitoring
and recording;
Retains the notification message or banner on the screen until
users acknowledge the usage conditions and take explicit
actions
to log
on to or further
access the information system;
For publicly
accessible
systems:
and
Displays system use information [Assignment: organizationdefined conditions], before granting further access;
Displays references, if any, to monitoring, recording, or
auditing that are consistent with privacy accommodations for
such
systems
that generally
those
activities;
and
Includes
a description
of the prohibit
authorized
uses
of the system.
The information system notifies the user, upon successful logon
(access) to the system, of the date and time of the last logon
(access).
The information system notifies the user, upon successful
logon/access, of the number of unsuccessful logon/access
attempts
since the
last successful
logon/access.
The information
system
notifies the
user of the number of
[Selection: successful logons/accesses; unsuccessful
logon/access
attempts;
during
[Assignment:
organizationThe information
system both]
notifies
the user
of changes
to
defined
time
period].
[Assignment: organization-defined security-related
characteristics/parameters
of thethe
users
account]
duringlogon
The information system notifies
user, upon
successful
[Assignment:
organization-defined
time
period].
(access), of the following additional information: [Assignment:
organization-defined
information
be included
in addition to
The information system
limits theto
number
of concurrent
the
date
and
time
of
the
last
logon
(access)].
sessions for each [Assignment: organization-defined account
and/or account type] to [Assignment: organization-defined
number].

The information system:


Prevents further access to the system by initiating a session
lock after [Assignment: organization-defined time period] of
inactivity
or session
upon receiving
a the
request
a user; and
Retains the
lock until
userfrom
reestablishes
access
using established identification and authentication procedures.
The information system conceals, via the session lock,
information previously visible on the display with a publicly
viewable
image. system automatically terminates a user
The information
session after [Assignment: organization-defined conditions or
trigger
events requiring
The information
system:session disconnect].
Provides a logout capability for user-initiated communications
sessions whenever authentication is used to gain access to
[Assignment:
organization-defined
resources];
Displays an explicit
logout messageinformation
to users indicating
the and
reliable termination of authenticated communications sessions.
[Withdrawn: Incorporated into AC-2 and AU-6].
The organization:
Identifies [Assignment: organization-defined user actions] that
can be performed on the information system without
identification
or authentication
consistent
withinorganizational
Documents and
provides supporting
rationale
the security
missions/business
functions;
and
plan for the information system, user actions not requiring
identification
or authentication.
[Withdrawn: Incorporated
into AC-14].
[Withdrawn: Incorporated into MP-3].
The organization:
Provides the means to associate [Assignment: organizationdefined types of security attributes] having [Assignment:
organization-defined
security
attribute
values] with
information
Ensures that the security
attribute
associations
are made
and
in
storage,
in
process,
and/or
in
transmission;
retained with the information;
Establishes the permitted [Assignment: organization-defined
security attributes] for [Assignment: organization-defined
information
and [Assignment: organization-defined
Determines systems];
the permitted
values or ranges] for each of the established security
attributes.
The information system dynamically associates security
attributes with [Assignment: organization-defined subjects and
objects]
in accordance
[Assignment:
organization-defined
The information
systemwith
provides
authorized
individuals (or
security
policies]
as
information
is
created
andcapability
combined.
processes acting on behalf of individuals) the
to
define
or changesystem
the value
of associated
security attributes.
The information
maintains
the association
and integrity
of [Assignment: organization-defined security attributes] to
[Assignment: organization-defined subjects and objects].

The information system supports the association of


[Assignment: organization-defined security attributes] with
[Assignment:
organization-defined
subjects
and objects]
by
The information
system displays security
attributes
in humanauthorized
individuals
processes
acting
on transmits
behalf of to
readable form
on each (or
object
that the
system
individuals).
output
devices toallows
identify
[Assignment:
organization-identified
The organization
personnel
to associate,
and maintain
special
dissemination,
handling,
or
distribution
instructions]
the association of [Assignment: organization-defined
security
using
[Assignment:
organization-identified
human-readable,
attributes]
with
[Assignment:
organization-defined
subjects
and
The
organization
provides
a consistent interpretation of
standard
naming
conventions].
objects]
accordance
with [Assignment:
organization-defined
security in
attributes
transmitted
between distributed
information
security
policies].
system
components.
The information system implements [Assignment: organizationdefined techniques or technologies] with [Assignment:
organization-defined
levelthat
of assurance]
in associating
security
The organization ensures
security attributes
associated
attributes
to
information.
with information are reassigned only via re-grading
mechanisms
validated
[Assignment:
organization-defined
The information
systemusing
provides
authorized
individuals the
techniques
or
procedures].
capability to define or change the type and value of security
attributes
available for association with subjects and objects.
The organization:
Establishes and documents usage restrictions,
configuration/connection requirements, and implementation
guidance
each type
of remote
access allowed;
and
Authorizesfor
remote
access
to the information
system
prior to
allowing such connections.
The information system monitors and controls remote access
methods.
The information system implements cryptographic mechanisms
to protect the confidentiality and integrity of remote access
sessions.
The information system routes all remote accesses through
[Assignment: organization-defined number] managed network
access
control points.
The organization:
Authorizes the execution of privileged commands and access to
security-relevant information via remote access only for
[Assignment:
organization-defined
needs];
Documents the
rationale for such access
inand
the security plan
for the information system.
[Withdrawn: Incorporated into SI-4].
The organization ensures that users protect information about
remote access mechanisms from unauthorized use and
disclosure.
[Withdrawn: Incorporated into AC-3 (10)].
[Withdrawn: Incorporated into CM-7].
The organization provides the capability to expeditiously
disconnect or disable remote access to the information system
within
[Assignment: organization-defined time period].
The organization:

Establishes usage restrictions, configuration/connection


requirements, and implementation guidance for wireless
access;
andwireless access to the information system prior to
Authorizes
allowing such connections.
The information system protects wireless access to the system
using authentication of [Selection (one or more): users;
devices]
andIncorporated
encryption. into SI-4].
[Withdrawn:
The organization disables, when not intended for use, wireless
networking capabilities internally embedded within information
system
components
prior toand
issuance
andauthorizes
deployment.
The organization
identifies
explicitly
users
allowed to independently configure wireless networking
capabilities.
The organization selects radio antennas and calibrates
transmission power levels to reduce the probability that usable
signals
can be received outside of organization-controlled
The organization:
boundaries.
Establishes usage restrictions, configuration requirements,
connection requirements, and implementation guidance for
organization-controlled
mobile
devices;
and to organizational
Authorizes the connection
of mobile
devices
information systems.
[Withdrawn: Incorporated into MP-7].
[Withdrawn: Incorporated into MP-7].
[Withdrawn: Incorporated into MP-7].
The organization:
Prohibits the use of unclassified mobile devices in facilities
containing information systems processing, storing, or
transmitting
information on
unless
specifically
permitted
Enforces the classified
following restrictions
individuals
permitted
by
by
the
authorizing
official;
and
the authorizing official to use unclassified mobile devices in
facilities
containing
information
systems
storing, or
Connection
of unclassified
mobile
devicesprocessing,
to classified
transmitting
classified
information:
information systems is prohibited;
Connection of unclassified mobile devices to unclassified
information systems requires approval from the authorizing
official;
Use of internal or external modems or wireless interfaces within
the unclassified mobile devices is prohibited; and
Unclassified mobile devices and the information stored on
those devices are subject to random reviews and inspections
by
[Assignment:
organization-defined
security
officials],
Restricts
the connection
of classified mobile
devices
to and if
classified
information
is
found,
the
incident
handling
policy is
classified information systems in accordance with [Assignment:
followed.
organization-defined
security
policies].
The organization employs
[Selection:
full-device encryption;
container encryption] to protect the confidentiality and
integrity of information on [Assignment: organization-defined
mobile devices].

The organization establishes terms and conditions, consistent


with any trust relationships established with other
organizations
owning, operating,
and/or
maintaining
external
Access the information
system from
external
information
information
systems, allowing authorized individuals to:
systems; and
Process, store, or transmit organization-controlled information
using external information systems.
The organization permits authorized individuals to use an
external information system to access the information system
or
to process,
store, or transmit
organization-controlled
Verifies
the implementation
of required
security controls on the
information
only
when
the
organization:
external system as specified in the organizations
information
security
policy andsystem
security
plan; or or processing
Retains approved
information
connection
agreements with the organizational entity hosting the external
information
system.
The organization
[Selection: restricts; prohibits] the use of
organization-controlled portable storage devices by authorized
individuals
on external
information
systems.
The organization
[Selection:
restricts;
prohibits] the use of nonorganizationally owned information systems, system
components,
or devices
to the
process,
or transmit
The organization
prohibits
use ofstore,
[Assignment:
organizational
information.
organization-defined network accessible storage devices] in
external
information systems.
The organization:
Facilitates information sharing by enabling authorized users to
determine whether access authorizations assigned to the
sharing
match organization-defined
the access restrictions
on the
Employspartner
[Assignment:
automated
information
for
[Assignment:
organization-defined
information
mechanisms or manual processes] to assist users in
making
sharing
circumstances
where userdecisions.
discretion is required]; and
information
sharing/collaboration
The information system enforces information-sharing decisions
by authorized users based on access authorizations of sharing
partners
and access
restrictions
on information
be shared.
The information
system
implements
informationtosearch
and
retrieval services that enforce [Assignment: organizationdefined
information sharing restrictions].
The organization:
Designates individuals authorized to post information onto a
publicly accessible information system;
Trains authorized individuals to ensure that publicly accessible
information does not contain nonpublic information;
Reviews the proposed content of information prior to posting
onto the publicly accessible information system to ensure that
nonpublic
information
notpublicly
included;
and
Reviews the
content onisthe
accessible
information
system for nonpublic information [Assignment: organizationdefined
frequency]
and removes
such information,
if
The organization
employs
[Assignment:
organization-defined
discovered.
data mining prevention and detection techniques] for
[Assignment:
organization-defined
data storage
objects] to
The organization
establishes procedures
to ensure
adequately
detect
and
protect
against
data
mining.
[Assignment: organization-defined access control decisions] are
applied
to each access
prior
to access enforcement.
The information
systemrequest
transmits
[Assignment:
organizationdefined access authorization information] using [Assignment:
organization-defined security safeguards] to [Assignment:
organization-defined information systems] that enforce access
control decisions.

The information system enforces access control decisions


based on [Assignment: organization-defined security attributes]
that
do not include
the identity
of thea user
or process
acting
The information
system
implements
reference
monitor
for on
behalf
of the user.
[Assignment:
organization-defined access control policies] that
is
tamperproof,
always invoked, and small enough to be subject
The
organization:
to analysis and testing, the completeness of which can be
assured.
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A security awareness and training policy that addresses
purpose, scope, roles, responsibilities, management
commitment,
organizational
Procedures to coordination
facilitate the among
implementation
of theentities,
securityand
compliance;
and
awareness and training policy and associated security
awareness
and
training
controls;
Reviews and
updates
the
current:and
Security awareness and training policy [Assignment:
organization-defined frequency]; and
Security awareness and training procedures [Assignment:
organization-defined frequency].
The organization provides basic security awareness training to
information system users (including managers, senior
executives,
and contractors):
As part of initial
training for new users;
When required by information system changes; and
[Assignment: organization-defined frequency] thereafter.
The organization includes practical exercises in security
awareness training that simulate actual cyber attacks.
The organization includes security awareness training on
recognizing and reporting potential indicators of insider threat.
The organization provides role-based security training to
personnel with assigned security roles and responsibilities:
Before authorizing access to the information system or
performing assigned duties;
When required by information system changes; and
[Assignment: organization-defined frequency] thereafter.
The organization provides [Assignment: organization-defined
personnel or roles] with initial and [Assignment: organizationdefined
frequency]
training[Assignment:
in the employment
and operation
The organization
provides
organization-defined
of
environmental
controls.
personnel or roles] with initial and [Assignment: organizationdefined
frequency]
training
in the employment
operation
The organization
includes
practical
exercises in and
security
of
physical
security
controls.
training that reinforce training objectives.

The organization provides training to its personnel on


[Assignment: organization-defined indicators of malicious code]
to
recognize
suspicious communications and anomalous
The
organization:
behavior in organizational information systems.
Documents and monitors individual information system
security training activities including basic security awareness
training
and specific
information
system
security training; and
Retains individual
training
records
for [Assignment:
organization-defined time period].
[Withdrawn: Incorporated into PM-15].
The organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
An audit and accountability policy that addresses purpose,
scope, roles, responsibilities, management commitment,
coordination
organizational
entities, of
and
compliance;
Procedures toamong
facilitate
the implementation
the
audit and
and
accountability policy and associated audit and accountability
controls;
and updates the current:
Reviews and
Audit and accountability policy [Assignment: organizationdefined frequency]; and
Audit and accountability procedures [Assignment: organizationdefined frequency].
The organization:
Determines that the information system is capable of auditing
the following events: [Assignment: organization-defined
auditable
events];
Coordinates
the security audit function with other
organizational entities requiring audit-related information to
enhance
mutual
support
andthe
to help
guideevents
the selection
of
Provides a
rationale
for why
auditable
are deemed
auditable
events;
to be adequate to support after-the-fact investigations of
security
incidents;
and
Determines
that the
following events are to be audited within
the information system: [Assignment: organization-defined
audited
events
(the subsetinto
of the
auditable events defined in
[Withdrawn:
Incorporated
AU-12].
AU-2 a.) along with the frequency of (or situation requiring)
auditing for each identified event].
[Withdrawn: Incorporated into AU-12].
The organization reviews and updates the audited events
[Assignment: organization-defined frequency].
[Withdrawn: Incorporated into AC-6 (9)].
The information system generates audit records containing
information that establishes what type of event occurred, when
the event occurred, where the event occurred, the source of
the event, the outcome of the event, and the identity of any
individuals or subjects associated with the event.

The information system generates audit records containing the


following additional information: [Assignment: organizationdefined
additional,
moreprovides
detailed centralized
information].
The information
system
management and
configuration of the content to be captured in audit records
generated
by [Assignment:
organization-defined
information
The organization
allocates audit
record storage capacity
in
system
components].
accordance with [Assignment: organization-defined audit
record
storage requirements].
The information
system off-loads audit records [Assignment:
organization-defined frequency] onto a different system or
media
than the system
The information
system:being audited.
Alerts [Assignment: organization-defined personnel or roles] in
the event of an audit processing failure; and
Takes the following additional actions: [Assignment:
organization-defined actions to be taken (e.g., shut down
information
system,
overwrite
oldest
audit records,
stop
The information
system
provides
a warning
to [Assignment:
generating
audit
records)].
organization-defined personnel, roles, and/or locations] within
[Assignment:
organization-defined
when allocated
The information
system provides antime
alertperiod]
in [Assignment:
audit
record
storage
volume
reaches
[Assignment:
organization-defined real-time period] to [Assignment:
organization-defined
percentage]
of repository
maximum audit
organization-defined
personnel,
and/or locations]
The
information
system
enforcesroles,
configurable
network when
record
storage
capacity.
the
following audit
failure
events
occur: [Assignment:
communications
traffic
volume
thresholds
reflecting limits on
organization-defined
audit
failure rejects;
events requiring
real-time
auditing
capacity
and
[Selection:
delays]
network
traffic
The
information system invokes a [Selection: full system
alerts].
above
those
thresholds.
shutdown; partial system shutdown; degraded operational
mode
with limited mission/business functionality available] in
The organization:
the event of [Assignment: organization-defined audit failures],
unless an alternate audit capability exists.
Reviews and analyzes information system audit records
[Assignment: organization-defined frequency] for indications of
[Assignment:
organization-defined
inappropriate or unusual
Reports findings
to [Assignment: organization-defined
activity];
and
personnel or roles].
The organization employs automated mechanisms to integrate
audit review, analysis, and reporting processes to support
organizational
processes for
investigation
and response to
[Withdrawn: Incorporated
into
SI-4].
suspicious activities.
The organization analyzes and correlates audit records across
different repositories to gain organization-wide situational
awareness.
The information system provides the capability to centrally
review and analyze audit records from multiple components
within
the system.
The organization
integrates analysis of audit records with
analysis of [Selection (one or more): vulnerability scanning
information;
performance
data;
information
monitoring
The organization
correlates
information
fromsystem
audit records
with
information;
[Assignment:
organization-defined
information obtained from monitoring physical access to
data/information
collected
from
other sources]]
toinappropriate,
further
further
enhance the
abilitythe
to identify
suspicious,
The
organization
specifies
permitted
actions
for each
enhance
the
ability
to
identify
inappropriate
or
unusual
activity.
unusual,
malevolent
activity.
[Selectionor(one
or more):
information system process; role;
user]
associated with
the review,
analysis,
andofreporting
The organization
performs
a full text
analysis
audited of
audit
information.
privileged commands in a physically distinct component or
subsystem of the information system, or other information
system that is dedicated to that analysis.

The organization correlates information from nontechnical


sources with audit information to enhance organization-wide
situational
awareness.
The organization
adjusts the level of audit review, analysis, and
reporting within the information system when there is a change
in
risk
based on law
enforcement
information,
intelligence
The
information
system
provides an
audit reduction
and report
information,
or
other
credible
sources
of
information.
generation capability that:
Supports on-demand audit review, analysis, and reporting
requirements and after-the-fact investigations of security
incidents;
and the original content or time ordering of audit
Does not alter
records.
The information system provides the capability to process audit
records for events of interest based on [Assignment:
organization-defined
audit
fields within
audit records].
The information system
provides
the capability
to sort and
search audit records for events of interest based on the content
of
[Assignment:
audit fields within audit
The
information organization-defined
system:
records].
Uses internal system clocks to generate time stamps for audit
records; and
Records time stamps for audit records that can be mapped to
Coordinated Universal Time (UTC) or Greenwich Mean Time
(GMT)
and meetssystem:
[Assignment: organization-defined granularity
The information
of time measurement].
Compares the internal information system clocks [Assignment:
organization-defined frequency] with [Assignment:
organization-defined
authoritative
time source];
and
Synchronizes the internal
system clocks
to the authoritative
time source when the time difference is greater than
[Assignment:
organization-defined
period].
The information
system identifies atime
secondary
authoritative
time source that is located in a different geographic region
than
the primarysystem
authoritative
time
source.
The information
protects
audit
information and audit
tools from unauthorized access, modification, and deletion.
The information system writes audit trails to hardwareenforced, write-once media.
The information system backs up audit records [Assignment:
organization-defined frequency] onto a physically different
system
or system
component
than the
system or component
The information
system
implements
cryptographic
mechanisms
being
audited.
to protect the integrity of audit information and audit tools.
The organization authorizes access to management of audit
functionality to only [Assignment: organization-defined subset
of
privileged
users].
The
organization
enforces dual authorization for [Selection (one
or more): movement; deletion] of [Assignment: organizationdefined
audit information].
The organization
authorizes read-only access to audit
information to [Assignment: organization-defined subset of
privileged
users].system protects against an individual (or
The information
process acting on behalf of an individual) falsely denying
having performed [Assignment: organization-defined actions to
be covered by non-repudiation].

The information system:


Binds the identity of the information producer with the
information to [Assignment: organization-defined strength of
binding];
andmeans for authorized individuals to determine the
Provides the
identity of the producer of the information.
The information system:
Validates the binding of the information producer identity to
the information at [Assignment: organization-defined
frequency];
and
Performs [Assignment:
organization-defined actions] in the
event of a validation error.
The information system maintains reviewer/releaser identity
and credentials within the established chain of custody for all
information
reviewed
or released.
The information
system:
Validates the binding of the information reviewer identity to the
information at the transfer or release points prior to
release/transfer
between
[Assignment: organization-defined
Performs [Assignment:
organization-defined
actions] in the
security
domains];
and
event of a validation error.
[Withdrawn: Incorporated into SI-7].
The organization retains audit records for [Assignment:
organization-defined time period consistent with records
retention
policy] to
provide[Assignment:
support for after-the-fact
The organization
employs
organization-defined
investigations
of
security
incidents
to records
meet regulatory
and
measures] to ensure that long-termand
audit
generated
by
organizational
information
retention
requirements.
the
information
system
can
be
retrieved.
The information system:
Provides audit record generation capability for the auditable
events defined in AU-2 a. at [Assignment: organization-defined
information
system components];
Allows [Assignment:
organization-defined personnel or roles] to
select which auditable events are to be audited by specific
components
of the
information
and
Generates audit
records
for the system;
events defined
in AU-2 d. with
the content defined in AU-3.
The information system compiles audit records from
[Assignment: organization-defined information system
components]
into
a system-wide
or physical)
audit
The information
system
produces(logical
a system-wide
(logical
ortrail
that
is
time-correlated
to
within
[Assignment:
organizationphysical) audit trail composed of audit records in a
defined
level of
tolerance for the relationship between time
standardized
format.
The
information
system
provides
the
capability
stamps
of individual
records
in the
audit
trail]. for
[Assignment: organization-defined individuals or roles] to
change
the auditing
to be performed
on [Assignment:
The organization
monitors
[Assignment:
organization-defined
organization-defined
information
system
components]
based
open source information and/or information
sites] [Assignment:
on
[Assignment:
organization-defined
selectable
event
criteria]
organization-defined
frequency]
for evidence
of unauthorized
The
organization
employs
automated
mechanisms
to
within
[Assignment:
organization-defined
time
thresholds].
disclosure
organizational information
information.has been disclosed in
determine of
if organizational
an unauthorized manner.

The organization reviews the open source information sites


being monitored [Assignment: organization-defined frequency].
The information system provides the capability for authorized
users to select a user session to capture/record or view/hear.
The information system initiates session audits at system startup.
The information system provides the capability for authorized
users to capture/record and log content related to a user
session.
The information system provides the capability for authorized
users to remotely view/hear all content related to an
established
user session
real
time. audit capability in the
The organization
providesinan
alternate
event of a failure in primary audit capability that provides
[Assignment:
organization-defined
alternate
audit
The organization
employs [Assignment:
organization-defined
functionality].
methods] for coordinating [Assignment: organization-defined
audit
information]requires
among that
external
organizations
when audit
The organization
the identity
of individuals
be
information
is
transmitted
across
organizational
boundaries.
preserved in cross-organizational audit trails.
The organization provides cross-organizational audit
information to [Assignment: organization-defined
organizations]
based on [Assignment: organization-defined
The organization:
cross-organizational sharing agreements].
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A security assessment and authorization policy that addresses
purpose, scope, roles, responsibilities, management
commitment,
organizational
Procedures to coordination
facilitate the among
implementation
of theentities,
securityand
compliance;
and
assessment and authorization policy and associated security
assessment
authorization
controls; and
Reviews andand
updates
the current:
Security assessment and authorization policy [Assignment:
organization-defined frequency]; and
Security assessment and authorization procedures
[Assignment: organization-defined frequency].
The organization:
Develops a security assessment plan that describes the scope
of the assessment including:
Security controls and control enhancements under assessment;
Assessment procedures to be used to determine security
control effectiveness; and
Assessment environment, assessment team, and assessment
roles and responsibilities;
Assesses the security controls in the information system and its
environment of operation [Assignment: organization-defined
frequency] to determine the extent to which the controls are
implemented correctly, operating as intended, and producing
the desired outcome with respect to meeting established
security requirements;

Produces a security assessment report that documents the


results of the assessment; and
Provides the results of the security control assessment to
[Assignment: organization-defined individuals or roles].
The organization employs assessors or assessment teams with
[Assignment: organization-defined level of independence] to
conduct
security control
The organization
includesassessments.
as part of security control
assessments, [Assignment: organization-defined frequency],
[Selection:
announced;
unannounced],
(one of
or
The organization
accepts
the results of [Selection
an assessment
more):
in-depth
monitoring;
vulnerability
scanning;
malicious
[Assignment: organization-defined information system]
user
testing;
threat assessment;
performance/load
performed
byinsider
[Assignment:
organization-defined
external
The
organization:
testing;
[Assignment:
organization-defined
other forms of
organization] when the assessment meets [Assignment:
security
assessment]].
organization-defined
requirements].
Authorizes connections from the information system to other
information systems through the use of Interconnection
Security
Agreements;
Documents,
for each interconnection, the interface
characteristics, security requirements, and the nature of the
information
and
Reviews andcommunicated;
updates Interconnection
Security Agreements
[Assignment: organization-defined frequency].
The organization prohibits the direct connection of an
[Assignment: organization-defined unclassified, national
security
system] to
an external
network
without of
thea use
of
The organization
prohibits
the direct
connection
classified,
[Assignment:
organization-defined
boundary
protection
national security system to an external network without the
device].
use
[Assignment:
organization-defined
boundary
protection
The of
organization
prohibits
the direct connection
of an
device].
[Assignment: organization-defined unclassified, non-national
security
system] to
an external
network
without of
thean
use of
The organization
prohibits
the direct
connection
[Assignment;
organization-defined
boundary
protection
[Assignment: organization-defined information system] to a
device].
public
network. employs [Selection: allow-all, deny-byThe organization
exception; deny-all, permit-by-exception] policy for allowing
[Assignment:
organization-defined
information systems] to
[Withdrawn: Incorporated
into CA-2].
connect to external information systems.
The organization:
Develops a plan of action and milestones for the information
system to document the organizations planned remedial
actions
correctplan
weaknesses
deficiencies
noted
during the
Updatestoexisting
of actionor
and
milestones
[Assignment:
assessment
of
the
security
controls
and
to
reduce
or
eliminate
organization-defined frequency] based on the findings
from
known
vulnerabilities
in the system;
andimpact analyses, and
security
controls
assessments,
security
The organization employs automated mechanisms to help
continuous
ensure that monitoring
the plan of activities.
action and milestones for the
information
system
is
accurate,
up to date, and readily
The organization:
available.
Assigns a senior-level executive or manager as the authorizing
official for the information system;
Ensures that the authorizing official authorizes the information
system for processing before commencing operations; and

Updates the security authorization [Assignment: organizationdefined frequency].


The organization develops a continuous monitoring strategy
and implements a continuous monitoring program that
includes:
Establishment of [Assignment: organization-defined metrics] to
be monitored;
Establishment of [Assignment: organization-defined
frequencies] for monitoring and [Assignment: organizationdefined
for assessments
suchwith the
Ongoingfrequencies]
security control
assessmentssupporting
in accordance
monitoring;
organizational continuous monitoring strategy;
Ongoing security status monitoring of organization-defined
metrics in accordance with the organizational continuous
monitoring
Correlation strategy;
and analysis of security-related information
generated by assessments and monitoring;
Response actions to address results of the analysis of securityrelated information; and
Reporting the security status of organization and the
information system to [Assignment: organization-defined
personnel
or roles]
[Assignment:
organization-defined
The organization
employs
assessors
or assessment teams with
frequency].
[Assignment: organization-defined level of independence] to
monitor
the security
controls
the information system on an
[Withdrawn:
Incorporated
intoinCA-2].
ongoing basis.
The organization employs trend analyses to determine if
security control implementations, the frequency of continuous
monitoring
activities,
and/or
the types of
activities
used in the
The organization
conducts
penetration
testing
[Assignment:
continuous
monitoring
process
need
to
be
modified
based on
organization-defined frequency] on [Assignment: organizationempirical
data.
defined
information
systems
system components].
The organization
employs
an or
independent
penetration agent or
penetration team to perform penetration testing on the
information
system
or system
components.
The organization
employs
[Assignment:
organization-defined
red team exercises] to simulate attempts by adversaries to
compromise
organizational information systems in accordance
The organization:
with [Assignment: organization-defined rules of engagement].
Authorizes internal connections of [Assignment: organizationdefined information system components or classes of
components]
to each
the information
system; and
Documents, for
internal connection,
the interface
characteristics, security requirements, and the nature of the
information
communicated.
The information
system performs security compliance checks
on constituent system components prior to the establishment
of
the
internal connection.
The
organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A configuration management policy that addresses purpose,
scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance;
and

Procedures to facilitate the implementation of the configuration


management policy and associated configuration management
controls;
and updates the current:
Reviews and
Configuration management policy [Assignment: organizationdefined frequency]; and
Configuration management procedures [Assignment:
organization-defined frequency].
The organization develops, documents, and maintains under
configuration control, a current baseline configuration of the
information
system.
The organization
reviews and updates the baseline
configuration of the information system:
[Assignment: organization-defined frequency];
When required due to [Assignment organization-defined
circumstances]; and
As an integral part of information system component
installations and upgrades.
The organization employs automated mechanisms to maintain
an up-to-date, complete, accurate, and readily available
baseline
configuration
of [Assignment:
the information
system.
The organization
retains
organization-defined
previous versions of baseline configurations of the information
system]
to support
rollback.
[Withdrawn:
Incorporated
into CM-7].
[Withdrawn: Incorporated into CM-7].
The organization maintains a baseline configuration for
information system development and test environments that is
managed
separately from the operational baseline
The organization:
configuration.
Issues [Assignment: organization-defined information systems,
system components, or devices] with [Assignment:
organization-defined
to individuals
to
Applies [Assignment: configurations]
organization-defined
securitytraveling
safeguards]
locations
that
the
organization
deems
to
be
of
significant
risk;
to the devices when the individuals return.
and
The organization:
Determines the types of changes to the information system
that are configuration-controlled;
Reviews proposed configuration-controlled changes to the
information system and approves or disapproves such changes
with
explicitconfiguration
considerationchange
for security
impact
analyses;with the
Documents
decisions
associated
information system;
Implements approved configuration-controlled changes to the
information system;

Retains records of configuration-controlled changes to the


information system for [Assignment: organization-defined time
period];
Audits and reviews activities associated with configurationcontrolled changes to the information system; and
Coordinates and provides oversight for configuration change
control activities through [Assignment: organization-defined
configuration
change
control
element mechanisms
(e.g., committee,
The organization
employs
automated
to: board)]
that convenes [Selection (one or more): [Assignment:
organization-defined frequency]; [Assignment: organizationDocument
proposed changes
the information system;
defined configuration
change to
conditions]].
Notify [Assignment: organized-defined approval authorities] of
proposed changes to the information system and request
change
approval;
Highlight
proposed changes to the information system that
have not been approved or disapproved by [Assignment:
organization-defined
time
period]; system until designated
Prohibit changes to the
information
approvals are received;
Document all changes to the information system; and
Notify [Assignment: organization-defined personnel] when
approved changes to the information system are completed.
The organization tests, validates, and documents changes to
the information system before implementing the changes on
the
The operational
organizationsystem.
employs automated mechanisms to
implement changes to the current information system baseline
and
deploys the updated
across security
the installed base.
The organization
requires baseline
an information
representative to be a member of the [Assignment:
organization-defined
configuration
change
control organizationelement].
The information system
implements
[Assignment:
defined security responses] automatically if baseline
configurations
areensures
changed
in an
unauthorized
manner. used
The organization
that
cryptographic
mechanisms
to provide [Assignment: organization-defined security
safeguards]
are under
configuration
management.
The organization
analyzes
changes to
the information system
to determine potential security impacts prior to change
implementation.
The organization analyzes changes to the information system
in a separate test environment before implementation in an
operational
environment,
for security
due to
The organization,
after thelooking
information
systemimpacts
is changed,
flaws,
weaknesses,
incompatibility,
or
intentional
malice.
checks the security functions to verify that the functions are
implemented
correctly,
operating
as intended,
The organization
defines,
documents,
approves,and
andproducing
enforces
the
desired
outcome
with
regard
to
meeting
the
security
physical and logical access restrictions associated
with changes
requirements
for the
system.
to
the
information
system.
The
information
system
enforces access restrictions and
supports auditing of the enforcement actions.
The organization reviews information system changes
[Assignment: organization-defined frequency] and
[Assignment:
organization-defined
circumstances]
The information
system prevents the
installation ofto determine
whether
unauthorized
changes
have
occurred.
[Assignment: organization-defined software and firmware
components] without verification that the component has been
digitally signed using a certificate that is recognized and
approved by the organization.

The organization enforces dual authorization for implementing


changes to [Assignment: organization-defined information
system
components and system-level information].
The organization:
Limits privileges to change information system components
and system-related information within a production or
operational
and
Reviews andenvironment;
reevaluates privileges
[Assignment: organizationdefined frequency].
The organization limits privileges to change software resident
within software libraries.
[Withdrawn: Incorporated into SI-7].
The organization:
Establishes and documents configuration settings for
information technology products employed within the
information
using [Assignment:
Implements system
the configuration
settings; organization-defined
security configuration checklists] that reflect the most
restrictive mode consistent with operational requirements;
Identifies, documents, and approves any deviations from
established configuration settings for [Assignment:
organization-defined
components]
basedin
Monitors and controlsinformation
changes to system
the configuration
settings
on
[Assignment:
organization-defined
operational
accordance with organizational policies and procedures.
requirements]; and
The organization employs automated mechanisms to centrally
manage, apply, and verify configuration settings for
[Assignment:
organization-defined
information
system
The organization
employs [Assignment:
organization-defined
components].
security safeguards] to respond to unauthorized changes to
[Assignment:
organization-defined
[Withdrawn: Incorporated
into SI-7].configuration settings].
[Withdrawn: Incorporated into CM-4].
The organization:
Configures the information system to provide only essential
capabilities; and
Prohibits or restricts the use of the following functions, ports,
protocols, and/or services: [Assignment: organization-defined
prohibited
or restricted functions, ports, protocols, and/or
The organization:
services].
Reviews the information system [Assignment: organizationdefined frequency] to identify unnecessary and/or nonsecure
functions,
ports, protocols,
and services; andfunctions, ports,
Disables [Assignment:
organization-defined
protocols, and services within the information system deemed
to
beinformation
unnecessary
and/or
nonsecure].
The
system
prevents
program execution in
accordance with [Selection (one or more): [Assignment:
organization-defined policies regarding software program
usage and restrictions]; rules authorizing the terms and
conditions of software program usage].

The organization ensures compliance with [Assignment:


organization-defined registration requirements for functions,
ports,
protocols, and services].
The organization:
Identifies [Assignment: organization-defined software programs
not authorized to execute on the information system];
Employs an allow-all, deny-by-exception policy to prohibit the
execution of unauthorized software programs on the
information
Reviews andsystem;
updatesand
the list of unauthorized software
programs [Assignment: organization-defined frequency].
The organization:
Identifies [Assignment: organization-defined software programs
authorized to execute on the information system];
Employs a deny-all, permit-by-exception policy to allow the
execution of authorized software programs on the information
system;
Reviews and
and updates the list of authorized software programs
[Assignment: organization-defined frequency].
The organization:
Develops and documents an inventory of information system
components that:
Accurately reflects the current information system;
Includes all components within the authorization boundary of
the information system;
Is at the level of granularity deemed necessary for tracking and
reporting; and
Includes [Assignment: organization-defined information
deemed necessary to achieve effective information system
component
and
Reviews andaccountability];
updates the information
system component
inventory [Assignment: organization-defined frequency].
The organization updates the inventory of information system
components as an integral part of component installations,
removals,
and information
system updates.
The organization
employs automated
mechanisms to help
maintain an up-to-date, complete, accurate, and readily
available
inventory of information system components.
The organization:
Employs automated mechanisms [Assignment: organizationdefined frequency] to detect the presence of unauthorized
hardware,
software,actions
and firmware
components within
the
Takes the following
when unauthorized
components
are
information
system;
and
detected: [Selection (one or more): disables network access by
such
components;includes
isolatesinthe
The organization
thecomponents;
information notifies
system component
[Assignment:
organization-defined
personnel
inventory information, a means for identifyingorbyroles]].
[Selection
(one or more): name; position; role], individuals
responsible/accountable for administering those components.

The organization verifies that all components within the


authorization boundary of the information system are not
duplicated
in other
information
system
component
inventories.
The organization
includes
assessed
component
configurations
and any approved deviations to current deployed
configurations
in the
information
systemrepository
component
The organization
provides
a centralized
forinventory.
the
inventory of information system components.
The organization employs automated mechanisms to support
tracking of information system components by geographic
location.
The organization:
Assigns [Assignment: organization-defined acquired
information system components] to an information system; and
Receives an acknowledgement from the information system
owner of this assignment.
The organization develops, documents, and implements a
configuration management plan for the information system
that:
Addresses roles, responsibilities, and configuration
management processes and procedures;
Establishes a process for identifying configuration items
throughout the system development life cycle and for
managing
configuration
of the
items;
Defines thethe
configuration
items
forconfiguration
the information
system and
places the configuration items under configuration
management;
and
Protects the configuration
management plan from unauthorized
disclosure and modification.
The organization assigns responsibility for developing the
configuration management process to organizational personnel
that
are not directly involved in information system
The organization:
development.
Uses software and associated documentation in accordance
with contract agreements and copyright laws;
Tracks the use of software and associated documentation
protected by quantity licenses to control copying and
distribution;
Controls and and
documents the use of peer-to-peer file sharing
technology to ensure that this capability is not used for the
unauthorized
distribution,
display,
performance,
or
The organization
establishes
the following
restrictions
on the
reproduction
of
copyrighted
work.
use of open source software: [Assignment: organization-defined
restrictions].
The organization:
Establishes [Assignment: organization-defined policies]
governing the installation of software by users;
Enforces software installation policies through [Assignment:
organization-defined methods]; and
Monitors policy compliance at [Assignment: organizationdefined frequency].

The information system alerts [Assignment: organizationdefined personnel or roles] when the unauthorized installation
of
software
is detected.
The
information
system prohibits user installation of software
without explicit privileged status.
The organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A contingency planning policy that addresses purpose, scope,
roles, responsibilities, management commitment, coordination
among
organizational
and compliance;
and
Procedures
to facilitateentities,
the implementation
of the
contingency
planning policy and associated contingency planning controls;
and
Reviews and updates the current:
Contingency planning policy [Assignment: organization-defined
frequency]; and
Contingency planning procedures [Assignment: organizationdefined frequency].
The organization:
Develops a contingency plan for the information system that:
Identifies essential missions and business functions and
associated contingency requirements;
Provides recovery objectives, restoration priorities, and metrics;
Addresses contingency roles, responsibilities, assigned
individuals with contact information;
Addresses maintaining essential missions and business
functions despite an information system disruption,
compromise,
or failure;
Addresses eventual,
full information system restoration without
deterioration of the security safeguards originally planned and
implemented;
and
Is reviewed and
approved by [Assignment: organization-defined
personnel or roles];
Distributes copies of the contingency plan to [Assignment:
organization-defined key contingency personnel (identified by
name
and/orcontingency
by role) andplanning
organizational
elements];
Coordinates
activities
with incident
handling activities;
Reviews the contingency plan for the information system
[Assignment: organization-defined frequency];
Updates the contingency plan to address changes to the
organization, information system, or environment of operation
and
problems encountered
contingency
plan
Communicates
contingencyduring
plan changes
to [Assignment:
implementation,
execution,
or
testing;
organization-defined key contingency personnel (identified by
name and/or by role) and organizational elements]; and

Protects the contingency plan from unauthorized disclosure and


modification.
The organization coordinates contingency plan development
with organizational elements responsible for related plans.
The organization conducts capacity planning so that necessary
capacity for information processing, telecommunications, and
environmental
support
exists
contingency
operations.
The organization
plans for
theduring
resumption
of essential
missions
and business functions within [Assignment: organizationdefined
time period]
of for
contingency
plan activation.
The organization
plans
the resumption
of all missions and
business functions within [Assignment: organization-defined
time
period] of contingency
plan
activation.of essential
The organization
plans for the
continuance
missions and business functions with little or no loss of
operational
continuity
sustains
thatofcontinuity
full
The organization
plansand
for the
transfer
essential until
missions
information
system
restoration
at
primary
processing
and/or
and business functions to alternate processing and/or storage
storage
sites.
sites
with
little or coordinates
no loss of operational
continuity
and sustains
The organization
its contingency
plan with
the
that
continuity
through
information
system
restoration
to
contingency plans of external service providers to ensure that
primary
processing
and/or storage
sites.
contingency
requirements
be satisfied.
The organization
identifies can
critical
information system assets
supporting essential missions and business functions.
The organization provides contingency training to information
system users consistent with assigned roles and
responsibilities:
Within [Assignment: organization-defined time period] of
assuming a contingency role or responsibility;
When required by information system changes; and
[Assignment: organization-defined frequency] thereafter.
The organization incorporates simulated events into
contingency training to facilitate effective response by
personnel
in crisisemploys
situations.
The organization
automated mechanisms to provide a
more thorough and realistic contingency training environment.
The organization:
Tests the contingency plan for the information system
[Assignment: organization-defined frequency] using
[Assignment:
organization-defined
tests] toand
determine the
Reviews the contingency
plan test results;
effectiveness of the plan and the organizational readiness to
execute the plan;
Initiates corrective actions, if needed.
The organization coordinates contingency plan testing with
organizational elements responsible for related plans.
The organization tests the contingency plan at the alternate
processing site:
To familiarize contingency personnel with the facility and
available resources; and

To evaluate the capabilities of the alternate processing site to


support contingency operations.
The organization employs automated mechanisms to more
thoroughly and effectively test the contingency plan.
The organization includes a full recovery and reconstitution of
the information system to a known state as part of contingency
plan
testing. Incorporated into CP-2].
[Withdrawn:
The organization:
Establishes an alternate storage site including necessary
agreements to permit the storage and retrieval of information
system
and site provides information
Ensuresbackup
that theinformation;
alternate storage
security safeguards equivalent to that of the primary site.
The organization identifies an alternate storage site that is
separated from the primary storage site to reduce
susceptibility
to the
same threats.
The organization
configures
the alternate storage site to
facilitate recovery operations in accordance with recovery time
and
recovery point
objectives.
The organization
identifies
potential accessibility problems to
the alternate storage site in the event of an area-wide
disruption
or disaster and outlines explicit mitigation actions.
The organization:
Establishes an alternate processing site including necessary
agreements to permit the transfer and resumption of
[Assignment:
organization-defined
information
system
Ensures that equipment
and supplies
required to
transfer and
operations]
for
essential
missions/business
functions
within
resume operations are available at the alternate processing
[Assignment:
organization-defined
time
period
consistent
site
or contracts
are
in place
to support
delivery
to the
sitewith
Ensures
that
the
alternate
processing
site
provides
information
recovery
time
and
recovery
point
objectives]
when
the
primary
within
the
organization-defined
time
period
forprimary site.
security
safeguards
equivalent
to
those
of
the
processing
capabilities
are unavailable;
transfer/resumption;
and
The organization identifies an alternate processing site that is
separated from the primary processing site to reduce
susceptibility
to the
same threats.
The organization
identifies
potential accessibility problems to
the alternate processing site in the event of an area-wide
disruption
or disaster
and outlines
explicit
mitigation
The organization
develops
alternate
processing
site actions.
agreements that contain priority-of-service provisions in
accordance
with organizational
availability
requirements
The organization
prepares the alternate
processing
site so that
(including
recovery
time
objectives).
the site is ready to be used as the operational site supporting
essential
missions
and business
functions.
[Withdrawn:
Incorporated
into CP-7].
The organization plans and prepares for circumstances that
preclude returning to the primary processing site.
The organization establishes alternate telecommunications
services including necessary agreements to permit the
resumption
of [Assignment: organization-defined information
The organization:
system operations] for essential missions and business
functions within [Assignment: organization-defined time period]
when the primary telecommunications capabilities are
unavailable at either the primary or alternate processing or
storage sites.

Develops primary and alternate telecommunications service


agreements that contain priority-of-service provisions in
accordance
with organizationalService
availability
requirements
Requests Telecommunications
Priority
for all
(including
recovery
time
objectives);
and
telecommunications services used for national security
emergency
preparedness
in the event
that the primary and/or
The organization
obtains alternate
telecommunications
alternate
telecommunications
services
are provided
by a of
services to reduce the likelihood of sharing
a single point
common
carrier.
failure
with primary
telecommunications
services.
The organization
obtains
alternate telecommunications
services from providers that are separated from primary
service
providers to reduce susceptibility to the same threats.
The organization:
Requires primary and alternate telecommunications service
providers to have contingency plans;
Reviews provider contingency plans to ensure that the plans
meet organizational contingency requirements; and
Obtains evidence of contingency testing/training by providers
[Assignment: organization-defined frequency].
The organization tests alternate telecommunication services
[Assignment: organization-defined frequency].
The organization:
Conducts backups of user-level information contained in the
information system [Assignment: organization-defined
frequency
consistent
with recoveryinformation
time and recovery
point
Conducts backups
of system-level
contained
in the
objectives];
information system [Assignment: organization-defined
frequency
consistent
with recovery
time and
recovery point
Conducts backups
of information
system
documentation
objectives];
including security-related documentation [Assignment:
organization-defined
frequency
consistent
with recovery
time
Protects the confidentiality,
integrity,
and availability
of backup
and
recovery
point
objectives];
and
information at storage locations.
The organization tests backup information [Assignment:
organization-defined frequency] to verify media reliability and
information
integrity.
The organization
uses a sample of backup information in the
restoration of selected information system functions as part of
contingency
plan stores
testing.
The organization
backup copies of [Assignment:
organization-defined critical information system software and
other
security-related
information]
in a separate facility or in a
[Withdrawn:
Incorporated
into CP-9].
fire-rated container that is not collocated with the operational
system.
The organization transfers information system backup
information to the alternate storage site [Assignment:
organization-defined
time period
and transfer
rate consistent
The organization accomplishes
information
system
backup by
with
the
recovery
time
and
recovery
point
objectives].
maintaining a redundant secondary system that is not
collocated
with the
primarydual
system
and that can
be activated
The organization
enforces
authorization
for the
deletion or
without
loss
of
information
or
disruption
to
operations.
destruction of [Assignment: organization-defined backup
information].
The organization provides for the recovery and reconstitution of
the information system to a known state after a disruption,
compromise, or failure.

[Withdrawn: Incorporated into CP-4].


The information system implements transaction recovery for
systems that are transaction-based.
[Withdrawn: Addressed through tailoring procedures].
The organization provides the capability to restore information
system components within [Assignment: organization-defined
restoration
configuration-controlled and
[Withdrawn:time-periods]
Incorporatedfrom
into SI-13].
integrity-protected information representing a known,
operational state for the components.
The organization protects backup and restoration hardware,
firmware, and software.
The information system provides the capability to employ
[Assignment: organization-defined alternative communications
protocols]
in support
of maintaining
continuity
of operations.
The information
system,
when [Assignment:
organizationdefined conditions] are detected, enters a safe mode of
operation
with [Assignment:
organization-defined
restrictions of
The organization
employs [Assignment:
organization-defined
safe
mode
of
operation].
alternative or supplemental security mechanisms] for satisfying
[Assignment:
organization-defined security functions] when the
The organization:
primary means of implementing the security function is
unavailable or compromised.
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
An identification and authentication policy that addresses
purpose, scope, roles, responsibilities, management
commitment,
organizational
and
Procedures to coordination
facilitate the among
implementation
of theentities,
identification
compliance;
and
and authentication policy and associated identification and
authentication
controls;
Reviews and updates
theand
current:
Identification and authentication policy [Assignment:
organization-defined frequency]; and
Identification and authentication procedures [Assignment:
organization-defined frequency].
The information system uniquely identifies and authenticates
organizational users (or processes acting on behalf of
organizational
users).
The information
system implements multifactor authentication
for network access to privileged accounts.
The information system implements multifactor authentication
for network access to non-privileged accounts.
The information system implements multifactor authentication
for local access to privileged accounts.
The information system implements multifactor authentication
for local access to non-privileged accounts.
The organization requires individuals to be authenticated with
an individual authenticator when a group authenticator is
employed.

The information system implements multifactor authentication


for network access to privileged accounts such that one of the
factors
is provided
by a device
separate
from theauthentication
system
The information
system
implements
multifactor
gaining
access
and to
thenon-privileged
device meetsaccounts
[Assignment:
for network
access
such that one of
organization-defined
strength
of
mechanism
requirements].
the
factors
is
provided
by
a
device
separate
from
the system
The information system implements replay-resistant
gaining
access
and
the
device
meets
[Assignment:
authentication mechanisms for network access to privileged
organization-defined
strength of mechanism requirements].
accounts.
The information system implements replay-resistant
authentication mechanisms for network access to nonprivileged
accounts.
The information
system provides a single sign-on capability for
[Assignment: organization-defined information system
accounts
and services].
The information
system implements multifactor authentication
for remote access to privileged and non-privileged accounts
such
that one of system
the factors
is provided
by a deviceverifies
separate
The information
accepts
and electronically
from
the
system
gaining
access
and
the
device
meets
Personal Identity Verification (PIV) credentials.
[Assignment: organization-defined strength of mechanism
The
information system implements [Assignment: organizationrequirements].
defined out-of-band authentication] under [Assignment:
organization-defined
conditions].
The information system
uniquely identifies and authenticates
[Assignment: organization-defined specific and/or types of
devices]
before establishing
a [Selection
(one or more): local;
The information
system authenticates
[Assignment:
remote;
network]
connection.
organization-defined specific devices and/or types of devices]
before
establishing
[Selection
or more): local; remote;
[Withdrawn:
Incorporated
into (one
IA-3 (1)].
network] connection using bidirectional authentication that is
cryptographically based.
The organization:
Standardizes dynamic address allocation lease information and
the lease duration assigned to devices in accordance with
[Assignment:
organization-defined
lease to
information
Audits lease information
when assigned
a device. and lease
duration]; and
The organization ensures that device identification and
authentication based on attestation is handled by [Assignment:
organization-defined
configuration
management
process].by:
The organization manages
information
system identifiers
Receiving authorization from [Assignment: organization-defined
personnel or roles] to assign an individual, group, role, or
device
identifier;
Selecting
an identifier that identifies an individual, group, role,
or device;
Assigning the identifier to the intended individual, group, role,
or device;
Preventing reuse of identifiers for [Assignment: organizationdefined time period]; and
Disabling the identifier after [Assignment: organization-defined
time period of inactivity].
The organization prohibits the use of information system
account identifiers that are the same as public identifiers for
individual electronic mail accounts.

The organization requires that the registration process to


receive an individual identifier includes supervisor
authorization.
The organization requires multiple forms of certification of
individual identification be presented to the registration
authority.
The organization manages individual identifiers by uniquely
identifying each individual as [Assignment: organizationdefined
characteristic
identifying
individual
status].
The information
system
dynamically
manages
identifiers.
The organization coordinates with [Assignment: organizationdefined external organizations] for cross-organization
management
of identifiers.
The organization
requires that the registration process to
receive an individual identifier be conducted in person before a
designated
registration
authority.
The organization
manages
information system authenticators
by:
Verifying, as part of the initial authenticator distribution, the
identity of the individual, group, role, or device receiving the
authenticator;
Establishing initial authenticator content for authenticators
defined by the organization;
Ensuring that authenticators have sufficient strength of
mechanism for their intended use;
Establishing and implementing administrative procedures for
initial authenticator distribution, for lost/compromised or
damaged
for revoking authenticators;
Changing authenticators,
default content and
of authenticators
prior to information
system installation;
Establishing minimum and maximum lifetime restrictions and
reuse conditions for authenticators;
Changing/refreshing authenticators [Assignment: organizationdefined time period by authenticator type];
Protecting authenticator content from unauthorized disclosure
and modification;
Requiring individuals to take, and having devices implement,
specific security safeguards to protect authenticators; and
Changing authenticators for group/role accounts when
membership to those accounts changes.
The information system, for password-based authentication:
Enforces minimum password complexity of [Assignment:
organization-defined requirements for case sensitivity, number
of
characters,
mixthe
of following
upper-case
letters,oflower-case
letters,
Enforces
at least
number
changed characters
numbers,
and
special
characters,
including
minimum
when new passwords are created: [Assignment: organizationrequirements
for each type];
defined
number];
Stores and
transmits only cryptographically-protected
passwords;
Enforces password minimum and maximum lifetime restrictions
of [Assignment: organization-defined numbers for lifetime
minimum, lifetime maximum];

Prohibits password reuse for [Assignment: organization-defined


number] generations; and
Allows the use of a temporary password for system logons with
an immediate change to a permanent password.
The information system, for PKI-based authentication:
Validates certifications by constructing and verifying a
certification path to an accepted trust anchor including
checking
certificate status
Enforces authorized
accessinformation;
to the corresponding private key;
Maps the authenticated identity to the account of the individual
or group; and
Implements a local cache of revocation data to support path
discovery and validation in case of inability to access
revocation
information
viathat
the network.
The organization
requires
the registration process to
receive [Assignment: organization-defined types of and/or
specific
authenticators]
beautomated
conducted tools
[Selection:
in person;
The organization
employs
to determine
if by
a
trusted
third
party]
before
[Assignment:
organization-defined
password authenticators are sufficiently strong to satisfy
registration
authority]
with authorization
by [Assignment:
[Assignment:
organization-defined
requirements].
The
organization
requires
developers/installers
of information
organization-defined
personnel
or roles].
system components to provide unique authenticators or
change
default authenticators
prior to delivery/installation.
The organization
protects authenticators
commensurate with
the security category of the information to which use of the
authenticator
permits
access.
The organization
ensures
that unencrypted static
authenticators are not embedded in applications or access
scripts
or stored on
function keys.
The organization
implements
[Assignment: organizationdefined security safeguards] to manage the risk of compromise
due
to individualscoordinates
having accounts
on multiple information
The organization
with [Assignment:
organizationsystems.
defined external organizations] for cross-organization
management
of system
credentials.
The information
dynamically provisions identities.
The information system, for hardware token-based
authentication, employs mechanisms that satisfy [Assignment:
organization-defined
token
requirements].
The information system,
forquality
biometric-based
authentication,
employs mechanisms that satisfy [Assignment: organizationdefined
biometric
qualityprohibits
requirements].
The information
system
the use of cached
authenticators after [Assignment: organization-defined time
period].
The organization, for PKI-based authentication, employs a
deliberate organization-wide methodology for managing the
content
of PKI trust
stores
across allpath
platforms
The organization
uses
onlyinstalled
FICAM-approved
discovery and
including
networks,
operating
systems,
browsers,
and
validation products and services.
applications.
The information system obscures feedback of authentication
information during the authentication process to protect the
information
fromsystem
possible
exploitation/use
by unauthorized
The information
implements
mechanisms
for
individuals.
authentication to a cryptographic module that meet the
requirements of applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance for
such authentication.

The information system uniquely identifies and authenticates


non-organizational users (or processes acting on behalf of nonorganizational
users).
The information
system accepts and electronically verifies
Personal Identity Verification (PIV) credentials from other
federal
agencies.system accepts only FICAM-approved thirdThe information
party credentials.
The organization employs only FICAM-approved information
system components in [Assignment: organization-defined
information
systems]
to conforms
accept third-party
credentials.
The information
system
to FICAM-issued
profiles.
The information system accepts and electronically verifies
Personal Identity Verification-I (PIV-I) credentials.
The organization identifies and authenticates [Assignment:
organization-defined information system services] using
[Assignment:
organization-defined
security
safeguards].
The organization
ensures that service
providers
receive,
validate, and transmit identification and authentication
information.
The organization ensures that identification and authentication
decisions are transmitted between [Assignment: organizationdefined
services] requires
consistent
with
organizational
policies.
The organization
that
individuals
accessing
the
information system employ [Assignment: organization-defined
supplemental
authentication
techniques
or mechanisms]
under
The organization
requires users
and devices
to re-authenticate
specific
[Assignment:
organization-defined
circumstances
when [Assignment: organization-defined circumstances or or
situations].
situations
requiring re-authentication].
The organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
An incident response policy that addresses purpose, scope,
roles, responsibilities, management commitment, coordination
among
organizational
and compliance;
and
Procedures
to facilitateentities,
the implementation
of the
incident
response policy and associated incident response controls; and
Reviews and updates the current:
Incident response policy [Assignment: organization-defined
frequency]; and
Incident response procedures [Assignment: organizationdefined frequency].
The organization provides incident response training to
information system users consistent with assigned roles and
responsibilities:
Within [Assignment: organization-defined time period] of
assuming an incident response role or responsibility;
When required by information system changes; and
[Assignment: organization-defined frequency] thereafter.

The organization incorporates simulated events into incident


response training to facilitate effective response by personnel
in
crisis
situations.
The
organization
employs automated mechanisms to provide a
more thorough and realistic incident response training
environment.
The organization tests the incident response capability for the
information system [Assignment: organization-defined
frequency]
using employs
[Assignment:
organization-defined
The organization
automated
mechanisms totests]
moreto
determine
response
effectiveness
and documents
thoroughly the
andincident
effectively
test the
incident response
capability.
the results.
The organization coordinates incident response testing with
organizational elements responsible for related plans.
The organization:
Implements an incident handling capability for security
incidents that includes preparation, detection and analysis,
containment,
eradication,
and activities
recovery;with contingency
Coordinates incident
handling
planning activities; and
Incorporates lessons learned from ongoing incident handling
activities into incident response procedures, training, and
testing,
and implements
resulting mechanisms
changes accordingly.
The organization
employsthe
automated
to support
the incident handling process.
The organization includes dynamic reconfiguration of
[Assignment: organization-defined information system
components]
as part
of the[Assignment:
incident response
capability.
The organization
identifies
organization-defined
classes of incidents] and [Assignment: organization-defined
actions
to take in correlates
response to
classesinformation
of incidents]
to individual
ensure
The organization
incident
and
continuation
of
organizational
missions
and
business
functions.
incident responses to achieve an organization-wide perspective
on
awareness
and response.
Theincident
organization
implements
a configurable capability to
automatically disable the information system if [Assignment:
organization-defined
security incident
violations]
are detected.
The organization implements
handling
capability for
insider threats.
The organization coordinates incident handling capability for
insider threats across [Assignment: organization-defined
components
or elements
of the
organization].
The organization
coordinates
with
[Assignment: organizationdefined external organizations] to correlate and share
[Assignment:
organization-defined
incident
information] to
The organization
employs [Assignment:
organization-defined
achieve
a
cross-organization
perspective
on
dynamic response capabilities] to effectivelyincident
respondawareness
to
and
moreincidents.
effective incident responses.
security
The organization coordinates incident handling activities
involving supply chain events with other organizations involved
in
the
supply chain.
The
organization
tracks and documents information system
security incidents.
The organization employs automated mechanisms to assist in
the tracking of security incidents and in the collection and
analysis
of incident information.
The organization:

Requires personnel to report suspected security incidents to


the organizational incident response capability within
[Assignment:
organization-defined
time
and
Reports security
incident information
to period];
[Assignment:
organization-defined authorities].
The organization employs automated mechanisms to assist in
the reporting of security incidents.
The organization reports information system vulnerabilities
associated with reported security incidents to [Assignment:
organization-defined
personnel
or roles].
The organization provides
security
incident information to other
organizations involved in the supply chain for information
systems
or information
system
components
related
to the
The organization
provides
an incident
response
support
incident.
resource, integral to the organizational incident response
capability
that offers
advice
and assistance
to userstoofincrease
the
The organization
employs
automated
mechanisms
information
system
for
the
handling
and
reporting
of
security
the availability of incident response-related information and
incidents.
support.
The organization:
Establishes a direct, cooperative relationship between its
incident response capability and external providers of
information
system protection
capability;
Identifies organizational
incident
responseand
team members to
the external providers.
The organization:
Develops an incident response plan that:
Provides the organization with a roadmap for implementing its
incident response capability;
Describes the structure and organization of the incident
response capability;
Provides a high-level approach for how the incident response
capability fits into the overall organization;
Meets the unique requirements of the organization, which
relate to mission, size, structure, and functions;
Defines reportable incidents;
Provides metrics for measuring the incident response capability
within the organization;
Defines the resources and management support needed to
effectively maintain and mature an incident response
capability;
Is reviewedand
and approved by [Assignment: organization-defined
personnel or roles];
Distributes copies of the incident response plan to
[Assignment: organization-defined incident response personnel
(identified
byincident
name and/or
by role)
organizational
Reviews the
response
plan and
[Assignment:
organizationelements];
defined frequency];

Updates the incident response plan to address


system/organizational changes or problems encountered during
plan
implementation,
execution,
testing;
Communicates
incident
responseor
plan
changes to [Assignment:
organization-defined incident response personnel (identified by
name
and/or
by role) response
and organizational
and
Protects
the incident
plan from elements];
unauthorized
disclosure and modification.
The organization responds to information spills by:
Identifying the specific information involved in the information
system contamination;
Alerting [Assignment: organization-defined personnel or roles]
of the information spill using a method of communication not
associated
with
the spill; information system or system
Isolating the
contaminated
component;
Eradicating the information from the contaminated information
system or component;
Identifying other information systems or system components
that may have been subsequently contaminated; and
Performing other [Assignment: organization-defined actions].
The organization assigns [Assignment: organization-defined
personnel or roles] with responsibility for responding to
information
spills.provides information spillage response
The organization
training [Assignment: organization-defined frequency].
The organization implements [Assignment: organizationdefined procedures] to ensure that organizational personnel
impacted
by information
can continue
to carry out
The organization
employsspills
[Assignment:
organization-defined
assigned
tasks
while
contaminated
systems
are
undergoing
security safeguards] for personnel exposed to
information
not
corrective
actions.
within
assigned
access
authorizations.
The organization establishes an integrated team of
forensic/malicious code analysts, tool developers, and real-time
operations
personnel.
The organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A system maintenance policy that addresses purpose, scope,
roles, responsibilities, management commitment, coordination
among
organizational
and compliance;
and
Procedures
to facilitateentities,
the implementation
of the
system
maintenance policy and associated system maintenance
controls;
and updates the current:
Reviews and
System maintenance policy [Assignment: organization-defined
frequency]; and
System maintenance procedures [Assignment: organizationdefined frequency].

The organization:
Schedules, performs, documents, and reviews records of
maintenance and repairs on information system components in
accordance
with
manufacturer
or vendoractivities,
specifications
and/or
Approves and
monitors
all maintenance
whether
organizational
requirements;
performed on site or remotely and whether the equipment is
serviced
site
or removedorganization-defined
to another location; personnel or
Requires on
that
[Assignment:
roles] explicitly approve the removal of the information system
or
systemequipment
components
organizational
facilities
for off-site
Sanitizes
to from
remove
all information
from associated
maintenance
or
repairs;
media prior to removal from organizational facilities for off-site
maintenance
or repairs;
Checks all potentially
impacted security controls to verify that
the controls are still functioning properly following maintenance
or
repair [Assignment:
actions; and organization-defined maintenanceIncludes
related information] in organizational maintenance records.
[Withdrawn: Incorporated into MA-2].
The organization:
Employs automated mechanisms to schedule, conduct, and
document maintenance and repairs; and
Produces up-to date, accurate, and complete records of all
maintenance and repair actions requested, scheduled, in
process,
and completed.
The organization
approves, controls, and monitors information
system maintenance tools.
The organization inspects the maintenance tools carried into a
facility by maintenance personnel for improper or unauthorized
modifications.
The organization checks media containing diagnostic and test
programs for malicious code before the media are used in the
information
system.
The organization
prevents the unauthorized removal of
maintenance equipment containing organizational information
by:
Verifying that there is no organizational information contained
on the equipment;
Sanitizing or destroying the equipment;
Retaining the equipment within the facility; or
Obtaining an exemption from [Assignment: organizationdefined personnel or roles] explicitly authorizing removal of the
equipment
from system
the facility.
The information
restricts the use of maintenance tools
to authorized personnel only.
The organization:
Approves and monitors nonlocal maintenance and diagnostic
activities;

Allows the use of nonlocal maintenance and diagnostic tools


only as consistent with organizational policy and documented
in
the security
for the information
system;
Employs
strongplan
authenticators
in the establishment
of nonlocal
maintenance and diagnostic sessions;
Maintains records for nonlocal maintenance and diagnostic
activities; and
Terminates session and network connections when nonlocal
maintenance is completed.
The organization:
Audits nonlocal maintenance and diagnostic sessions
[Assignment: organization-defined audit events]; and
Reviews the records of the maintenance and diagnostic
sessions.
The organization documents in the security plan for the
information system, the policies and procedures for the
establishment
and use of nonlocal maintenance and diagnostic
The organization:
connections.
Requires that nonlocal maintenance and diagnostic services be
performed from an information system that implements a
security
comparable
to the capability
Removescapability
the component
to be serviced
from theimplemented
information
on
the
system
being
serviced;
or
system prior to nonlocal maintenance or diagnostic services,
sanitizes
the component
regard
to organizational
The organization
protects(with
nonlocal
maintenance
sessions by:
information) before removal from organizational facilities, and
after the service is performed, inspects and sanitizes the
Employing
organization-defined
authenticators
component[Assignment:
(with regard to
potentially malicious
software)
that
are
replay
resistant];
and
before reconnecting the component to the information system.
Separating the maintenance sessions from other network
sessions with the information system by either:
Physically separated communications paths; or
Logically separated communications paths based upon
encryption.
The organization:
Requires the approval of each nonlocal maintenance session by
[Assignment: organization-defined personnel or roles]; and
Notifies [Assignment: organization-defined personnel or roles]
of the date and time of planned nonlocal maintenance.
The information system implements cryptographic mechanisms
to protect the integrity and confidentiality of nonlocal
maintenance
andsystem
diagnostic
communications.
The information
implements
remote disconnect
verification at the termination of nonlocal maintenance and
diagnostic
sessions.
The organization:

Establishes a process for maintenance personnel authorization


and maintains a list of authorized maintenance organizations or
personnel;
Ensures that non-escorted personnel performing maintenance
on the information system have required access authorizations;
and
Designates organizational personnel with required access
authorizations and technical competence to supervise the
maintenance
activities of personnel who do not possess the
The organization:
required access authorizations.
Implements procedures for the use of maintenance personnel
that lack appropriate security clearances or are not U.S.
citizens,
that personnel
include thewho
following
Maintenance
do notrequirements:
have needed access
authorizations, clearances, or formal access approvals are
escorted
and supervised
duringorthe
performance
of by
Prior to initiating
maintenance
diagnostic
activities
maintenance
and
diagnostic
activities
on
the
information
personnel who do not have needed access authorizations,
system
by approved
organizational
personnel
whoinformation
are fully
clearances
or formal
access
approvals,
all volatile
Develops
and
implements
alternate
security
safeguards
cleared,
have
appropriate
access
authorizations,
and
arein the
storage
components
within
the
information
system
are
event
an information
system component cannot be sanitized,
technically
qualified;
sanitized
and
all nonvolatile
storage
media are removed or
removed,
or
disconnected
from
the system.
The
organization
ensuresfrom
that
personnel
physically
disconnected
the
system performing
and secured; and
maintenance and diagnostic activities on an information
system
processing,
storing,
or personnel
transmitting
classified
The organization
ensures
that
performing
information
possess
security
clearances
and
formal access
maintenance and diagnostic activities on an information
approvals
for at least
the highest
classification
level and for all
system
processing,
storing,
or transmitting
classified
The
organization
ensures
that:
compartments
of
information
on
the
system.
information are U.S. citizens.
Cleared foreign nationals (i.e., foreign nationals with
appropriate security clearances), are used to conduct
maintenance
and diagnostic
activities
on classified
information
Approvals, consents,
and detailed
operational
conditions
systems
only
when
the
systems
are
jointly
owned
and
operated
regarding the use of foreign nationals to conduct maintenance
by
the
United
States
and
foreign
allied
governments,
or
owned
and
diagnostic activities
on
classified
information
systems
are
The
organization
ensures
that
non-escorted
personnel
and
operated
solely
by
foreign
allied
governments;
and
fully
documented
within
Memoranda
of
Agreements.
performing maintenance activities not directly associated with
the
in the physical
proximity
the
The information
organizationsystem
obtainsbut
maintenance
support
and/orofspare
system,
have
required
access
authorizations.
parts for [Assignment: organization-defined information system
components]
within
[Assignment:
organization-defined
The organization
performs
preventive
maintenance on time
period]
of
failure.
[Assignment: organization-defined information system
components]
at [Assignment:
organization-defined
time
The organization
performs predictive
maintenance on
intervals].
[Assignment: organization-defined information system
components]
at [Assignment:
organization-defined
time
The organization
employs automated
mechanisms to
transfer
intervals].
predictive maintenance data to a computerized maintenance
management
system.
The organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A media protection policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination
among
organizational
and compliance;
and
Procedures
to facilitateentities,
the implementation
of the
media
protection policy and associated media protection controls; and

Reviews and updates the current:


Media protection policy [Assignment: organization-defined
frequency]; and
Media protection procedures [Assignment: organization-defined
frequency].
The organization restricts access to [Assignment: organizationdefined types of digital and/or non-digital media] to
[Assignment:
organization-defined
or roles].
[Withdrawn: Incorporated
into MP-4personnel
(2)].
[Withdrawn: Incorporated into SC-28 (1)].
The organization:
Marks information system media indicating the distribution
limitations, handling caveats, and applicable security markings
(if
any) of[Assignment:
the information;
and
Exempts
organization-defined
types of
information system media] from marking as long as the media
remain
within [Assignment: organization-defined controlled
The organization:
areas].
Physically controls and securely stores [Assignment:
organization-defined types of digital and/or non-digital media]
within
[Assignment:
controlled
areas]; and
Protects
information organization-defined
system media until the
media are
destroyed or sanitized using approved equipment, techniques,
and
procedures.
[Withdrawn:
Incorporated into SC-28 (1)].
The organization employs automated mechanisms to restrict
access to media storage areas and to audit access attempts
and
access granted.
The organization:
Protects and controls [Assignment: organization-defined types
of information system media] during transport outside of
controlled
areas using [Assignment:
organization-defined
Maintains accountability
for information
system media during
security
safeguards];
transport outside of controlled areas;
Documents activities associated with the transport of
information system media; and
Restricts the activities associated with the transport of
information system media to authorized personnel.
[Withdrawn: Incorporated into MP-5].
[Withdrawn: Incorporated into MP-5].
The organization employs an identified custodian during
transport of information system media outside of controlled
areas.

The information system implements cryptographic mechanisms


to protect the confidentiality and integrity of information stored
on
media during transport outside of controlled areas.
Thedigital
organization:
Sanitizes [Assignment: organization-defined information
system media] prior to disposal, release out of organizational
control,
release formechanisms
reuse using [Assignment:
organizationEmploysor
sanitization
with the strength
and
defined
sanitization
techniques
and
procedures]
in
accordance
integrity commensurate with the security category or
with
applicable
and organizational standards and
classification
of federal
the
information.
The
organization
reviews,
approves, tracks, documents, and
policies;
and
verifies media sanitization and disposal actions.
The organization tests sanitization equipment and procedures
[Assignment: organization-defined frequency] to verify that the
intended
sanitization
is being
achieved. sanitization techniques
The organization
applies
nondestructive
to portable storage devices prior to connecting such devices to
the
information
system under
following circumstances:
[Withdrawn:
Incorporated
into the
MP-6].
[Assignment: organization-defined circumstances requiring
sanitization of portable storage devices].
[Withdrawn: Incorporated into MP-6].
[Withdrawn: Incorporated into MP-6].
The organization enforces dual authorization for the
sanitization of [Assignment: organization-defined information
system
media]. provides the capability to purge/wipe
The organization
information from [Assignment: organization-defined
information
systems,
systemrestricts;
components,
or devices]
The organization
[Selection:
prohibits]
the useeither
of
remotely
or
under
the
following
conditions:
[Assignment:
[Assignment: organization-defined types of information system
organization-defined
conditions].
media]
on [Assignment:
organization-defined
The organization
prohibits
the use of portable information
storage devices
systems
or
system
components]
using
[Assignment:
in organizational information systems when such devices have
organization-defined
security safeguards].
no
owner.
Theidentifiable
organization
prohibits the use of sanitization-resistant
media in organizational information systems.
The organization:
Establishes [Assignment: organization-defined information
system media downgrading process] that includes employing
downgrading
mechanisms
with
[Assignment:
organizationEnsures that the
information
system
media downgrading
defined
strength
and
integrity];
process is commensurate with the security category and/or
classification
level of the
information to be removed
and the
Identifies [Assignment:
organization-defined
information
access
authorizations
of
the
potential
recipients
of
the
system media requiring downgrading]; and
downgraded information;
Downgrades the identified information system media using the
established process.
The organization documents information system media
downgrading actions.
The organization employs [Assignment: organization-defined
tests] of downgrading equipment and procedures to verify
correct performance [Assignment: organization-defined
frequency].

The organization downgrades information system media


containing [Assignment: organization-defined Controlled
Unclassified
Information
(CUI)]information
prior to public
release
in
The organization
downgrades
system
media
accordance
with applicable
federal
andtoorganizational
containing classified
information
prior
release to individuals
standards
and
policies.
without
required
access
authorizations
in
accordance with NSA
The organization:
standards and policies.
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A physical and environmental protection policy that addresses
purpose, scope, roles, responsibilities, management
commitment,
organizational
Procedures to coordination
facilitate the among
implementation
of theentities,
physicaland
and
compliance;
and
environmental protection policy and associated physical and
environmental
protection
controls; and
Reviews and updates
the current:
Physical and environmental protection policy [Assignment:
organization-defined frequency]; and
Physical and environmental protection procedures
[Assignment: organization-defined frequency].
The organization:
Develops, approves, and maintains a list of individuals with
authorized access to the facility where the information system
resides;
Issues authorization credentials for facility access;
Reviews the access list detailing authorized facility access by
individuals [Assignment: organization-defined frequency]; and
Removes individuals from the facility access list when access is
no longer required.
The organization authorizes physical access to the facility
where the information system resides based on position or role.
The organization requires two forms of identification from
[Assignment: organization-defined list of acceptable forms of
identification]
for restricts
visitor access
to the access
facility to
where
the
The organization
unescorted
the facility
information
system
resides.
where the information system resides to personnel with
[Selection
(one or more): security clearances for all information
The organization:
contained within the system; formal access authorizations for
all information contained within the system; need for access to
Enforces
physical
access authorizations
at [Assignment:
all information
contained
within the system;
[Assignment:
organization-defined
entry/exit
points
to
the facility where the
organization-defined credentials]].
information
system access
resides]authorizations
by;
Verifying individual
before granting
access to the facility; and
Controlling ingress/egress to the facility using [Selection (one
or more): [Assignment: organization-defined physical access
control
systems/devices];
Maintains
physical access guards];
audit logs for [Assignment:
organization-defined entry/exit points];

Provides [Assignment: organization-defined security


safeguards] to control access to areas within the facility
officially
designated
as publicly
accessible;
Escorts visitors
and monitors
visitor
activity [Assignment:
organization-defined circumstances requiring visitor escorts
and
monitoring];
Secures
keys, combinations, and other physical access devices;
Inventories [Assignment: organization-defined physical access
devices] every [Assignment: organization-defined frequency];
and
Changes combinations and keys [Assignment: organizationdefined frequency] and/or when keys are lost, combinations are
compromised,
or enforces
individuals
are transferred
or terminated.
The organization
physical
access authorizations
to the
information system in addition to the physical access controls
for
facility at [Assignment:
organization-defined
physical
Thethe
organization
performs security
checks [Assignment:
spaces
containing
one
or
more
components
of
the
information
organization-defined frequency] at the physical boundary of
system].
the
or information
unauthorized
exfiltration
The facility
organization
employs system
guards for
and/or
alarms to monitor
of
information
or
removal
of
information
system
components.
every physical access point to the facility where the
information
system
resides
24 hours
percasings
day, 7 days
per week.
The organization
uses
lockable
physical
to protect
[Assignment: organization-defined information system
components]
fromemploys
unauthorized
physicalorganization-defined
access.
The organization
[Assignment:
security safeguards] to [Selection (one or more): detect;
prevent]
physical employs
tampering
or alterationtesting
of [Assignment:
The organization
a penetration
process that
organization-defined
hardware
components]
within the
includes [Assignment: organization-defined frequency],
information
system.
unannounced
attempts
tophysical
bypass or
circumvent
security
The organization
controls
access
to [Assignment:
controls
associated
with
physical
access
points
to
theand
facility.
organization-defined information system distribution
transmission
lines]
within physical
organizational
using
The organization
controls
accessfacilities
to information
[Assignment:
organization-defined
security
safeguards].
system output devices to prevent unauthorized individuals
from
obtaining the output.
The organization:
Controls physical access to output from [Assignment:
organization-defined output devices]; and
Ensures that only authorized individuals receive output from
the device.
The information system:
Controls physical access to output from [Assignment:
organization-defined output devices]; and
Links individual identity to receipt of the output from the
device.
The organization marks [Assignment: organization-defined
information system output devices] indicating the appropriate
security
marking of the information permitted to be output
The organization:
from the device.
Monitors physical access to the facility where the information
system resides to detect and respond to physical security
incidents;

Reviews physical access logs [Assignment: organizationdefined frequency] and upon occurrence of [Assignment:
organization-defined
orand
potential
indications
of the
events];
Coordinates results ofevents
reviews
investigations
with
and
organizational incident response capability.
The organization monitors physical intrusion alarms and
surveillance equipment.
The organization employs automated mechanisms to recognize
[Assignment: organization-defined classes/types of intrusions]
and
initiate [Assignment:
The organization
employsorganization-defined
video surveillance ofresponse
[Assignment:
actions].
organization-defined operational areas] and retains video
recordings
for [Assignment:
organization-defined
time period].
The organization
monitors physical
access to the information
system in addition to the physical access monitoring of the
facility
as [Assignment:
organization-defined
[Withdrawn:
Incorporated
into PE-2 and PE-3].physical spaces
containing one or more components of the information
system].
The organization:
Maintains visitor access records to the facility where the
information system resides for [Assignment: organizationdefined
period];
Reviewstime
visitor
accessand
records [Assignment: organizationdefined frequency].
The organization employs automated mechanisms to facilitate
the maintenance and review of visitor access records.
[Withdrawn: Incorporated into PE-2].
The organization protects power equipment and power cabling
for the information system from damage and destruction.
The organization employs redundant power cabling paths that
are physically separated by [Assignment: organization-defined
distance].
The organization employs automatic voltage controls for
[Assignment: organization-defined critical information system
components].
The organization:
Provides the capability of shutting off power to the information
system or individual system components in emergency
situations;
Places emergency shutoff switches or devices in [Assignment:
organization-defined location by information system or system
component]
to facilitate
safe
and easy
accessfrom
for personnel;
Protects emergency
power
shutoff
capability
unauthorized
and
activation.
[Withdrawn: Incorporated into PE-10].
The organization provides a short-term uninterruptible power
supply to facilitate [Selection (one or more): an orderly
shutdown
of the information
system; transition
the supply
The organization
provides a long-term
alternateof
power
information
system
to
long-term
alternate
power]
in the event
for the information system that is capable of maintaining
of
a primary
power operational
source loss.capability in the event of an
minimally
required
extended loss of the primary power source.

The organization provides a long-term alternate power supply


for the information system that is:
Self-contained;
Not reliant on external power generation; and
Capable of maintaining [Selection: minimally required
operational capability; full operational capability] in the event
of
anorganization
extended loss
of the and
primary
powerautomatic
source. emergency
The
employs
maintains
lighting for the information system that activates in the event
of
a organization
power outageprovides
or disruption
and that
covers
The
emergency
lighting
foremergency
all areas
exits
and
evacuation
routes
within
the
facility.
within the facility supporting essential missions and business
functions.
The organization employs and maintains fire suppression and
detection devices/systems for the information system that are
supported
by an independent
source.
The organization
employs fire energy
detection
devices/systems for
the information system that activate automatically and notify
[Assignment:
organization-defined
personnel
or roles] and for
The organization
employs fire suppression
devices/systems
[Assignment:
organization-defined
emergency
in
the information system that provide automatic responders]
notification of
the
event
of
a
fire.
any
to employs
Assignment:
organization-defined
personnel
The activation
organization
an automatic
fire suppression
or
roles]
and
[Assignment:
organization-defined
emergency
capability for the information system when the facility is not
responders].
staffed
on a continuous
basis.
The organization
ensures
that the facility undergoes
[Assignment: organization-defined frequency] inspections by
authorized
and qualified inspectors and resolves identified
The organization:
deficiencies within [Assignment: organization-defined time
period].
Maintains temperature and humidity levels within the facility
where the information system resides at [Assignment:
organization-defined
levels];
and
Monitors temperatureacceptable
and humidity
levels
[Assignment:
organization-defined frequency].
The organization employs automatic temperature and humidity
controls in the facility to prevent fluctuations potentially
harmful
to the information
system.
The organization
employs temperature
and humidity
monitoring that provides an alarm or notification of changes
potentially
harmful
to personnel
or equipment.
The organization
protects
the information
system from damage
resulting from water leakage by providing master shutoff or
isolation
valves that
are accessible,
working
properly,
and
The organization
employs
automated
mechanisms
to detect
known
to
key
personnel.
the presence of water in the vicinity of the information system
and
alerts [Assignment:
organization-defined
personnel or
The organization
authorizes,
monitors, and controls
roles].
[Assignment: organization-defined types of information system
components]
entering and exiting the facility and maintains
The organization:
records of those items.
Employs [Assignment: organization-defined security controls]
at alternate work sites;
Assesses as feasible, the effectiveness of security controls at
alternate work sites; and

Provides a means for employees to communicate with


information security personnel in case of security incidents or
problems.
The organization positions information system components
within the facility to minimize potential damage from
[Assignment:
organization-defined
The organization
plans the locationphysical
or site ofand
theenvironmental
facility where
hazards]
and
to
minimize
the
opportunity
for
the information system resides with regard tounauthorized
physical and
access.
environmental
hazards
and
forinformation
existing facilities,
the
The organization
protects
the
systemconsiders
from
physical
andleakage
environmental
hazards in its risk
mitigation
information
due to electromagnetic
signals
strategy.
emanations.
The organization ensures that information system components,
associated data communications, and networks are protected
in
accordance
with national emissions and TEMPEST policies
The
organization:
and procedures based on the security category or classification
of the information.
Employs [Assignment: organization-defined asset location
technologies] to track and monitor the location and movement
of
[Assignment:
organization-defined
assets]
within
Ensures
that asset
location technologies
are employed
in
[Assignment:
organization-defined
controlled
areas];
and
accordance with applicable federal laws, Executive Orders,
directives,
regulations, policies, standards, and guidance.
The organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A security planning policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination
among
organizational
and compliance;
and
Procedures
to facilitateentities,
the implementation
of the
security
planning policy and associated security planning controls; and
Reviews and updates the current:
Security planning policy [Assignment: organization-defined
frequency]; and
Security planning procedures [Assignment: organizationdefined frequency].
The organization:
Develops a security plan for the information system that:
Is consistent with the organizations enterprise architecture;
Explicitly defines the authorization boundary for the system;
Describes the operational context of the information system in
terms of missions and business processes;
Provides the security categorization of the information system
including supporting rationale;
Describes the operational environment for the information
system and relationships with or connections to other
information systems;

Provides an overview of the security requirements for the


system;
Identifies any relevant overlays, if applicable;
Describes the security controls in place or planned for meeting
those requirements including a rationale for the tailoring
decisions;
Is reviewedand
and approved by the authorizing official or
designated representative prior to plan implementation;
Distributes copies of the security plan and communicates
subsequent changes to the plan to [Assignment: organizationdefined
or plan
roles];
Reviewspersonnel
the security
for the information system
[Assignment: organization-defined frequency];
Updates the plan to address changes to the information
system/environment of operation or problems identified during
plan
implementation
or security
control assessments;
Protects
the security plan
from unauthorized
disclosureand
and
modification.
[Withdrawn: Incorporated into PL-7].
[Withdrawn: Incorporated into PL-8].
The organization plans and coordinates security-related
activities affecting the information system with [Assignment:
organization-defined
individuals
or groups] before conducting
[Withdrawn: Incorporated
into PL-2].
such activities in order to reduce the impact on other
organizational entities.
The organization:
Establishes and makes readily available to individuals requiring
access to the information system, the rules that describe their
responsibilities
andacknowledgment
expected behavior
with
regard
to
Receives a signed
from
such
individuals,
information
and
information
system
usage;
indicating that they have read, understand, and agree to abide
by
the rules
behavior,
authorizing
access to
Reviews
andof
updates
thebefore
rules of
behavior [Assignment:
information
and
the
information
system;
organization-defined frequency]; and
Requires individuals who have signed a previous version of the
rules of behavior to read and re-sign when the rules of behavior
are
The revised/updated.
organization includes in the rules of behavior, explicit
restrictions on the use of social media/networking sites and
posting
organizational
information
on public
websites.
[Withdrawn:
Incorporated
into Appendix
J, AR-2].
[Withdrawn: Incorporated into PL-2].
The organization:
Develops a security Concept of Operations (CONOPS) for the
information system containing at a minimum, how the
organization intends to operate the system from the
perspective of information security; and

Reviews and updates the CONOPS [Assignment: organizationdefined frequency].


The organization:
Develops an information security architecture for the
information system that:
Describes the overall philosophy, requirements, and approach
to be taken with regard to protecting the confidentiality,
integrity,
of organizational
information;
Describesand
howavailability
the information
security architecture
is
integrated into and supports the enterprise architecture; and
Describes any information security assumptions about, and
dependencies on, external services;
Reviews and updates the information security architecture
[Assignment: organization-defined frequency] to reflect
updates
in the
enterprise
architecture;
andarchitecture changes
Ensures that
planned
information
security
are reflected in the security plan, the security Concept of
Operations
(CONOPS),
and
The organization
designs
itsorganizational
security architecture using a
procurements/acquisitions.
defense-in-depth approach that:
Allocates [Assignment: organization-defined security
safeguards] to [Assignment: organization-defined locations and
architectural
layers];
and security safeguards operate in a
Ensures that the
allocated
coordinated and mutually reinforcing manner.
The organization requires that [Assignment: organizationdefined security safeguards] allocated to [Assignment:
organization-defined
locations
and architectural
layers]
are
The organization centrally
manages
[Assignment:
organizationobtained
from
different
suppliers.
defined security controls and related processes].
The organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A personnel security policy that addresses purpose, scope,
roles, responsibilities, management commitment, coordination
among
organizational
and compliance;
and
Procedures
to facilitateentities,
the implementation
of the
personnel
security policy and associated personnel security controls; and
Reviews and updates the current:
Personnel security policy [Assignment: organization-defined
frequency]; and
Personnel security procedures [Assignment: organizationdefined frequency].
The organization:
Assigns a risk designation to all organizational positions;

Establishes screening criteria for individuals filling those


positions; and
Reviews and updates position risk designations [Assignment:
organization-defined frequency].
The organization:
Screens individuals prior to authorizing access to the
information system; and
Rescreens individuals according to [Assignment: organizationdefined conditions requiring rescreening and, where
rescreening
is so ensures
indicated,
theindividuals
frequencyaccessing
of such rescreening].
The organization
that
an
information system processing, storing, or transmitting
classified
information
are that
cleared
and indoctrinated
The organization
ensures
individuals
accessing to
anthe
highest
classification
level
of
the
information
to
which
information system processing, storing, or transmittingthey
types of
have
access
on the system.
classified
information
which
require
formal
indoctrination,
are
The organization ensures that individuals accessing an
formally
indoctrinated
for
all
of
the
relevant
types
of
information system processing, storing, or transmitting
information
to
which they
have
access on the system.
information
requiring
special
protection:
Have valid access
authorizations
that are demonstrated by
assigned official government duties; and
Satisfy [Assignment: organization-defined additional personnel
screening criteria].
The organization, upon termination of individual employment:
Disables information system access within [Assignment:
organization-defined time period];
Terminates/revokes any authenticators/credentials associated
with the individual;
Conducts exit interviews that include a discussion of
[Assignment: organization-defined information security topics];
Retrieves all security-related organizational information
system-related property;
Retains access to organizational information and information
systems formerly controlled by terminated individual; and
Notifies [Assignment: organization-defined personnel or roles]
within [Assignment: organization-defined time period].
The organization:
Notifies terminated individuals of applicable, legally binding
post-employment requirements for the protection of
organizational
information;
and to sign an acknowledgment of
Requires terminated
individuals
post-employment requirements as part of the organizational
termination
process.
The organization
employs automated mechanisms to notify
[Assignment: organization-defined personnel or roles] upon
termination
of an individual.
The organization:

Reviews and confirms ongoing operational need for current


logical and physical access authorizations to information
systems/facilities
whenorganization-defined
individuals are reassigned
oror
Initiates [Assignment:
transfer
transferred
to actions]
other positions
within the organization;
reassignment
within [Assignment:
organization-defined
time
period
following
the formal
action];
Modifies
access
authorization
as transfer
needed to
correspond with
any changes in operational need due to reassignment or
transfer;
and
Notifies [Assignment:
organization-defined personnel or roles]
within [Assignment: organization-defined time period].
The organization:
Develops and documents access agreements for organizational
information systems;
Reviews and updates the access agreements [Assignment:
organization-defined frequency]; and
Ensures that individuals requiring access to organizational
information and information systems:
Sign appropriate access agreements prior to being granted
access; and
Re-sign access agreements to maintain access to
organizational information systems when access agreements
have
been updated
or [Assignment:
[Withdrawn:
Incorporated
into PS-3].organization-defined
frequency].
The organization ensures that access to classified information
requiring special protection is granted only to individuals who:
Have a valid access authorization that is demonstrated by
assigned official government duties;
Satisfy associated personnel security criteria; and
Have read, understood, and signed a nondisclosure agreement.
The organization:
Notifies individuals of applicable, legally binding postemployment requirements for protection of organizational
information;
and
Requires individuals
to sign an acknowledgment of these
requirements, if applicable, as part of granting initial access to
covered
information.
The organization:
Establishes personnel security requirements including security
roles and responsibilities for third-party providers;
Requires third-party providers to comply with personnel
security policies and procedures established by the
organization;
Documents personnel security requirements;

Requires third-party providers to notify [Assignment:


organization-defined personnel or roles] of any personnel
transfers
or terminations
of third-party personnel who possess
Monitors provider
compliance.
organizational credentials and/or badges, or who have
information system privileges within [Assignment: organizationThe
organization:
defined
time period]; and
Employs a formal sanctions process for individuals failing to
comply with established information security policies and
procedures;
and
Notifies [Assignment:
organization-defined personnel or roles]
within [Assignment: organization-defined time period] when a
formal
employee sanctions process is initiated, identifying the
The organization:
individual sanctioned and the reason for the sanction.
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A risk assessment policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination
among
organizational
and compliance;
and
Procedures
to facilitateentities,
the implementation
of the
risk
assessment policy and associated risk assessment controls;
and
Reviews and updates the current:
Risk assessment policy [Assignment: organization-defined
frequency]; and
Risk assessment procedures [Assignment: organization-defined
frequency].
The organization:
Categorizes information and the information system in
accordance with applicable federal laws, Executive Orders,
directives,
regulations,
standards,
and(including
guidance;
Documentspolicies,
the security
categorization
results
supporting rationale) in the security plan for the information
system;
and the authorizing official or authorizing official
Ensures that
designated representative reviews and approves the security
categorization
decision.
The organization:
Conducts an assessment of risk, including the likelihood and
magnitude of harm, from the unauthorized access, use,
disclosure,
modification,
or [Selection:
destructionsecurity
of the plan;
Documentsdisruption,
risk assessment
results in
information
system
and
the
information
it
processes,
stores, or
risk assessment report; [Assignment: organization-defined
transmits;
document]];
Reviews risk assessment results [Assignment: organizationdefined frequency];
Disseminates risk assessment results to [Assignment:
organization-defined personnel or roles]; and
Updates the risk assessment [Assignment: organization-defined
frequency] or whenever there are significant changes to the
information system or environment of operation (including the
identification of new threats and vulnerabilities), or other
conditions that may impact the security state of the system.

[Withdrawn: Incorporated into RA-3].


The organization:
Scans for vulnerabilities in the information system and hosted
applications [Assignment: organization-defined frequency
and/or
randomly
in accordance
Employs
vulnerability
scanning with
toolsorganization-defined
and techniques that
process]
and
when
new
vulnerabilities
potentially
affecting
facilitate interoperability among tools and
automate
parts ofthe
system/applications
are
identified
and
reported;
the
vulnerability
management
process
using
standards for:
Enumerating
platforms,
software
flaws,by
and
improper
configurations;
Formatting checklists and test procedures; and
Measuring vulnerability impact;
Analyzes vulnerability scan reports and results from security
control assessments;
Remediates legitimate vulnerabilities [Assignment:
organization-defined response times] in accordance with an
organizational
assessment
offrom
risk; the
andvulnerability scanning
Shares information
obtained
process and security control assessments with [Assignment:
organization-defined
personnel
or roles]scanning
to help eliminate
The organization employs
vulnerability
tools that
similar
vulnerabilities
in
other
information
(i.e.,system
include the capability to readily update thesystems
information
systemic
weaknesses
or
deficiencies).
vulnerabilities
to be
scanned.
The organization
updates
the information system
vulnerabilities scanned [Selection (one or more): [Assignment:
organization-defined
frequency];
prior to
a new scan;
when
The organization employs
vulnerability
scanning
procedures
new
vulnerabilities
are
identified
and
reported].
that can identify the breadth and depth of coverage (i.e.,
information
system
components
scanned
and vulnerabilities
The organization
determines
what
information
about the
checked).
information system is discoverable by adversaries and
subsequently
takes
[Assignment:
organization-defined
The information
system
implements
privileged access
corrective
actions].
authorization to [Assignment: organization-identified
information
system
components]
for selected
[Assignment:
The organization
employs
automated
mechanisms
to compare
organization-defined
vulnerability
scanning
activities].
the results of vulnerability scans over time to determine trends
in
information
system vulnerabilities.
[Withdrawn:
Incorporated
into CM-8].
The organization reviews historic audit logs to determine if a
vulnerability identified in the information system has been
previously
exploited.
[Withdrawn:
Incorporated into CA-8].
The organization correlates the output from vulnerability
scanning tools to determine the presence of multivulnerability/multi-hop
attack
vectors.surveillance
The organization employs
a technical
countermeasures survey at [Assignment: organization-defined
locations]
[Selection (one or more): [Assignment: organizationThe organization:
defined frequency]; [Assignment: organization-defined events
or indicators occur]].

Develops, documents, and disseminates to [Assignment:


organization-defined personnel or roles]:
A system and services acquisition policy that addresses
purpose, scope, roles, responsibilities, management
commitment,
organizational
Procedures to coordination
facilitate the among
implementation
of theentities,
system and
and
compliance;
and
services acquisition policy and associated system and services
acquisition
controls;
Reviews and
updatesand
the current:
System and services acquisition policy [Assignment:
organization-defined frequency]; and
System and services acquisition procedures [Assignment:
organization-defined frequency].
The organization:
Determines information security requirements for the
information system or information system service in
mission/business
processand
planning;
Determines, documents,
allocates the resources required
to protect the information system or information system
service
as part
of its capital
planning
and investment
control
Establishes
a discrete
line item
for information
security
in
process;
and
organizational programming and budgeting documentation.
The organization:
Manages the information system using [Assignment:
organization-defined system development life cycle] that
incorporates
informationinformation
security considerations;
Defines and documents
security roles and
responsibilities throughout the system development life cycle;
Identifies individuals having information security roles and
responsibilities; and
Integrates the organizational information security risk
management process into system development life cycle
activities.
The organization includes the following requirements,
descriptions, and criteria, explicitly or by reference, in the
acquisition
contractrequirements;
for the information system, system
Security functional
component, or information system service in accordance with
applicable federal laws, Executive Orders, directives, policies,
Security
strength
requirements;
regulations,
standards,
guidelines, and organizational
mission/business needs:
Security assurance requirements;
Security-related documentation requirements;
Requirements for protecting security-related documentation;
Description of the information system development
environment and environment in which the system is intended
to operate; and

Acceptance criteria.
The organization requires the developer of the information
system, system component, or information system service to
provide
a description
of the
functional
properties
of the security
The organization
requires
the
developer
of the information
controls
to
be
employed.
system, system component, or information system service to
provide
design and
implementation
information
for the security
The organization
requires
the developer
of the information
controls
to be employed
thator
includes:
[Selection
(one
or to
system, system
component,
information
system
service
more):
security-relevant
external
system
interfaces;
high-level
demonstrate
the use of a system
development
life cycle that
[Withdrawn:
Incorporated
into CM-8
(9)].
design;
design;
source
code
or hardware
schematics;
includeslow-level
[Assignment:
organization-defined
state-of-the[Assignment:
organization-defined
design/implementation
practice system/security engineering methods, software
The
organization
requires
the developer
of the information
information]]
at
[Assignment:
organization-defined
level of
development
methods,
testing/evaluation/validation
system,
system
or information
detail].
techniques,
and component,
quality control
processes]. system service to:

Deliver the system, component, or service with [Assignment:


organization-defined security configurations] implemented; and
Use the configurations as the default for any subsequent
system, component, or service reinstallation or upgrade.
The organization:
Employs only government off-the-shelf (GOTS) or commercial
off-the-shelf (COTS) information assurance (IA) and IA-enabled
information
products
compose
an and/or
NSAEnsures thattechnology
these products
havethat
been
evaluated
approved
solution
to
protect
classified
information
when the
validated by NSA or in accordance with NSA-approved
networks
used
to
transmit
the
information
are
at
a
lower
procedures.
The
organization:
classification
level than the information being transmitted; and
Limits the use of commercially provided information assurance
(IA) and IA-enabled information technology products to those
products
been successfully
evaluated
against
Requires,that
if nohave
NIAP-approved
Protection
Profile exists
foraa
National
Information
Assurance
partnership
(NIAP)-approved
specific technology type but a commercially provided
Protection
Profile
for a specific
technology
type, if such a profile
information
technology
product
relies onof
cryptographic
The
organization
requires
the developer
the information
exists;
and
functionality
to enforce
its security
policy, that
the service to
system, system
component,
or information
system
cryptographic
module
is
FIPS-validated.
produce
a plan forrequires
the continuous
monitoring
security control
The organization
the developer
of theofinformation
effectiveness
that
contains
[Assignment:
organization-defined
system, system component, or information system service to
level
of detail].
identify
early in the
systemonly
development
life
cycle, theproducts
The organization
employs
information
technology
functions,
ports,
protocols,
and
services
intended
forIdentity
on the FIPS 201-approved products list for Personal
organizational
use.
Verification
(PIV) capability implemented within organizational
The organization:
information systems.
Obtains administrator documentation for the information
system, system component, or information system service that
describes:
Secure configuration, installation, and operation of the system,
component, or service;
Effective use and maintenance of security
functions/mechanisms; and
Known vulnerabilities regarding configuration and use of
administrative (i.e., privileged) functions;

Obtains user documentation for the information system,


system component, or information system service that
describes:
User-accessible security functions/mechanisms and how to
effectively use those security functions/mechanisms;
Methods for user interaction, which enables individuals to use
the system, component, or service in a more secure manner;
and
User responsibilities in maintaining the security of the system,
component, or service;
Documents attempts to obtain information system, system
component, or information system service documentation
when
such
documentation
either unavailable
or nonexistent
Protects
documentation
as is
required,
in accordance
with the risk
and
takes
[Assignment:
organization-defined
actions]
in
management strategy; and
response;
Distributes documentation to [Assignment: organizationdefined personnel or roles].
[Withdrawn: Incorporated into SA-4 (1)].
[Withdrawn: Incorporated into SA-4 (2)].
[Withdrawn: Incorporated into SA-4 (2)].
[Withdrawn: Incorporated into SA-4 (2)].
[Withdrawn: Incorporated into SA-4 (2)].
[Withdrawn: Incorporated into CM-10 and SI-7].
[Withdrawn: Incorporated into CM-11 and SI-7].
The organization applies information system security
engineering principles in the specification, design,
development,
implementation, and modification of the
The organization:
information system.
Requires that providers of external information system services
comply with organizational information security requirements
and
employ
organization-defined
security
Defines
and [Assignment:
documents government
oversight and
user roles
controls]
in
accordance
with
applicable
federal
laws,
Executive
and responsibilities with regard to external information
system
Orders,
directives,
policies, regulations, standards, and
services;
and
Employs
guidance;[Assignment: organization-defined processes,
methods, and techniques] to monitor security control
compliance
by external service providers on an ongoing basis.
The organization:
Conducts an organizational assessment of risk prior to the
acquisition or outsourcing of dedicated information security
services;
andthe acquisition or outsourcing of dedicated
Ensures that
information security services is approved by [Assignment:
organization-defined personnel or roles].

The organization requires providers of [Assignment:


organization-defined external information system services] to
identify
the functions,
ports, protocols,
andand
other
servicestrust
The organization
establishes,
documents,
maintains
required
for the
use
of suchservice
services.
relationships
with
external
providers based on
[Assignment:
organization-defined
security
requirements,
The organization
employs [Assignment:
organization-defined
properties,
factors,
or
conditions
defining
acceptable
security safeguards] to ensure that the interests of trust
relationships].
[Assignment:
organization-defined
external
service (one
providers]
The organization
restricts the location
of [Selection
or
are
consistent
with
and
reflect
organizational
interests.
more): information processing; information/data; information
system
services] requires
to [Assignment:
organization-defined
The organization
the developer
of the information
locations]
based
on
[Assignment:
organization-defined
system, system component, or information
system service to:
requirements or conditions].
Perform configuration management during system, component,
or service [Selection (one or more): design; development;
implementation;
operation];
Document, manage,
and control the integrity of changes to
[Assignment: organization-defined configuration items under
configuration
management];
Implement only
organization-approved changes to the system,
component, or service;
Document approved changes to the system, component, or
service and the potential security impacts of such changes; and
Track security flaws and flaw resolution within the system,
component, or service and report findings to [Assignment:
organization-defined
personnel].
The organization requires
the developer of the information
system, system component, or information system service to
enable
integrity verification
softwareconfiguration
and firmware
The organization
provides anofalternate
components.
management process using organizational personnel in the
absence
of a dedicated
developer
configuration
management
The organization
requires
the developer
of the information
team.
system, system component, or information system service to
enable
integrity verification
ofdeveloper
hardware of
components.
The organization
requires the
the information
system, system component, or information system service to
employ
tools for comparing
newly
generated
of
The organization
requires the
developer
of theversions
information
security-relevant
hardware
descriptions
and
software/firmware
system, system component, or information system service to
source
and
object
codeofwith
previous versions.
maintain
the
integrity
the
between
the master
The organization
requires
themapping
developer
of the information
build
data
(hardware
drawings
and
software/firmware
code)to
system, system component, or information system service
describing
the current
of that
security-relevant
hardware,
execute
procedures
forversion
ensuring
security-relevant
The
organization
requires
the
developer
of the copy
information
software,
and
firmware
and
the
on-site
master
of to
the
data
hardware,
software,
and firmware
updates distributed
the
system,
system
component,
or information
system service
to:
for
the
current
version.
organization are exactly as specified by the master copies.
Create and implement a security assessment plan;
Perform [Selection (one or more): unit; integration; system;
regression] testing/evaluation at [Assignment: organizationdefined
andof
coverage];
Produce depth
evidence
the execution of the security assessment
plan and the results of the security testing/evaluation;
Implement a verifiable flaw remediation process; and
Correct flaws identified during security testing/evaluation.

The organization requires the developer of the information


system, system component, or information system service to
employ
static code
analysis
tools
to identify
common
flaws and
The organization
requires
the
developer
of the
information
document
the results
of the analysis.
system, system
component,
or information system service to
perform
threat and vulnerability analyses and subsequent
The organization:
testing/evaluation of the as-built system, component, or
service.
Requires an independent agent satisfying [Assignment:
organization-defined independence criteria] to verify the
correct
of the agent
developer
security
assessment
Ensuresimplementation
that the independent
is either
provided
with
plan
and
the
evidence
produced
during
security
sufficient information to complete the verification process or
testing/evaluation;
and
granted
the authority
to obtain
such information.
The organization
requires
the developer
of the information
system, system component, or information system service to
perform
a manualrequires
code review
of [Assignment:
organizationThe organization
the developer
of the information
defined
specific
code]
using
[Assignment:
organization-defined
system, system component, or information system service to
processes,
procedures,
and/or
techniques].
perform
penetration
testing
[Assignment:
organizationThe organization
requires
theatdeveloper
of the
information
defined
breadth/depth]
and
with
[Assignment:
organizationsystem, system component, or information system service to
defined
constraints].
perform
attack surface
reviews.
The organization
requires
the developer of the information
system, system component, or information system service to
verify
that the scope
of security
testing/evaluation
provides
The organization
requires
the developer
of the information
complete
coverage
of
required
security
controls
at
system, system component, or information system service to
[Assignment:
organization-defined
depth
of testing/evaluation].
employ
dynamic
code
analysis
tools
to identify
common
The organization
protects
against
supply
chain threats
toflaws
the
and
document
the
results
of
the
analysis.
information system, system component, or information system
service
by employing
[Assignment:
organization-defined
The organization
employs
[Assignment:
organization-defined
security
safeguards]
as
part
of
a
comprehensive,
tailored acquisition strategies, contract tools, anddefense-inprocurement
breadth
information
security
strategy.
methods]
for
the
purchase
of
the
information
system,
system
The organization conducts a supplier review prior to entering
component,
or
information
system
service
from
suppliers.
into a contractual agreement to acquire the information
system,
system
component,
orSA-12
information
[Withdrawn:
Incorporated
into
(1)]. system service.
[Withdrawn: Incorporated into SA-12 (13)].
The organization employs [Assignment: organization-defined
security safeguards] to limit harm from potential adversaries
identifying
targeting the
[Withdrawn:and
Incorporated
intoorganizational
SA-12 (1)]. supply chain.
The organization conducts an assessment of the information
system, system component, or information system service prior
to
selection,
acceptance,
or update.
The
organization
uses all-source
intelligence analysis of
suppliers and potential suppliers of the information system,
system
component,
or information
system
service.
The organization
employs
[Assignment:
organization-defined
Operations Security (OPSEC) safeguards] in accordance with
classification
guides
to protect
supply chain-related
information
The organization
employs
[Assignment:
organization-defined
for
the
information
system,
system
component,
or
information
security safeguards] to validate that the information system or
system
service.
system
component
received
is genuine
and
not been
The organization
employs
[Selection
(one
orhas
more):
altered.
organizational analysis, independent third-party analysis,
organizational penetration testing, independent third-party
penetration testing] of [Assignment: organization-defined
supply chain elements, processes, and actors] associated with
the information system, system component, or information
system service.

The organization establishes inter-organizational agreements


and procedures with entities involved in the supply chain for
the
system
component,
or information
The information
organizationsystem,
employs
[Assignment:
organization-defined
system
securityservice.
safeguards] to ensure an adequate supply of
[Assignment:
organization-defined
criticalunique
information
system
The organization
establishes and retains
identification
components].
of [Assignment: organization-defined supply chain elements,
processes,
and actors]
for theainformation
system,weaknesses
system
The organization
establishes
process to address
component,
or in
information
system
service.
or deficiencies
supply chain
elements
identified during
independent
or organizational assessments of such elements.
The organization:
Describes the trustworthiness required in the [Assignment:
organization-defined information system, information system
component,
or informationorganization-defined
system service] supporting
its
Implements [Assignment:
assurance
critical
missions/business
functions;
and
overlay] to achieve such trustworthiness.
The organization identifies critical information system
components and functions by performing a criticality analysis
for
[Assignment:
organization-defined
[Withdrawn:
Incorporated
into SA-20]. information systems,
information system components, or information system
services] at [Assignment: organization-defined decision points
The
organization:
in the
system development life cycle].
Requires the developer of the information system, system
component, or information system service to follow a
documented
development
process
that:
Explicitly addresses
security
requirements;
Identifies the standards and tools used in the development
process;
Documents the specific tool options and tool configurations
used in the development process; and
Documents, manages, and ensures the integrity of changes to
the process and/or tools used in development; and
Reviews the development process, standards, tools, and tool
options/configurations [Assignment: organization-defined
frequency]
to determine
thedeveloper
process, standards,
tools, and
The organization
requiresifthe
of the information
tool
options/configurations
selected
and
employed
satisfy
system, system component, or information system can
service
to:
[Assignment: organization-defined security requirements].
Define quality metrics at the beginning of the development
process; and
Provide evidence of meeting the quality metrics [Selection (one
or more): [Assignment: organization-defined frequency];
[Assignment:
organization-defined
program
review
milestones];
The organization
requires the developer
of the
information
upon
delivery].
system, system component, or information system service to
select
and employrequires
a security
tool
during the
The organization
thetracking
developer
offor
theuse
information
development
process.
system, system component, or information system service to
perform
a criticality
analysis
atdevelopers
[Assignment:
organizationThe organization
requires
that
perform
threat
defined
breadth/depth]
and
at
[Assignment:
organizationmodeling and a vulnerability analysis for the information
defined
decision
points in
the system development
life cycle].
system at
[Assignment:
organization-defined
breadth/depth]
that:

Uses [Assignment: organization-defined information concerning


impact, environment of operations, known or assumed threats,
and
acceptable
risk levels];
Employs
[Assignment:
organization-defined tools and
methods]; and
Produces evidence that meets [Assignment: organizationdefined acceptance criteria].
The organization requires the developer of the information
system, system component, or information system service to
reduce
attack surfaces
to [Assignment:
The organization
requires
the developerorganization-defined
of the information
thresholds].
system, system component, or information system service to
implement
an explicit
process
to continuously
the
The organization
requires
the developer
of the improve
information
development
process.
system, system component, or information system service to:
Perform an automated vulnerability analysis using
[Assignment: organization-defined tools];
Determine the exploitation potential for discovered
vulnerabilities;
Determine potential risk mitigations for delivered
vulnerabilities; and
Deliver the outputs of the tools and results of the analysis to
[Assignment: organization-defined personnel or roles].
The organization requires the developer of the information
system, system component, or information system service to
use
modeling
and vulnerability
analyses
from similar
The threat
organization
approves,
documents,
and controls
the use of
systems,
components,
or
services
to
inform
the
current
live data in development and test environments for the
development
process.
information
system,
system
or the
information
system
The organization
requires
thecomponent,
developer of
information
service.
system, system component, or information system service to
provide
an incident
response
The organization
requires
the plan.
developer of the information
system or system component to archive the system or
component
to be requires
releasedthe
or delivered
with the
The organization
developertogether
of the information
corresponding
evidence
supporting
the
final
security
review.
system, system component, or information system service
to
provide
[Assignment:
organization-defined
on the
The organization
requires
the developer of training]
the information
correct
use
and
operation
of
the
implemented
security
system, system component, or information system service to
functions,
and/or mechanisms.
produce
a controls,
design
and
architecture that:
Is consistent
with specification
and supportive
ofsecurity
the organizations
security architecture which is established within and is an
integrated
of the organizations
architecture;
Accurately part
and completely
describes theenterprise
required security
functionality, and the allocation of security controls among
physical
and
logical
components;
Expresses
how
individual
security and
functions, mechanisms, and
services work together to provide required security capabilities
and
a unified approach
to the
protection.
The organization
requires
developer of the information
system, system component, or information system service to:
Produce, as an integral part of the development process, a
formal policy model describing the [Assignment: organizationdefined
elements
of organizational
security
policy]
to be and
Prove that
the formal
policy model is
internally
consistent
enforced;
and
sufficient to enforce the defined elements of the organizational
security policy when implemented.

The organization requires the developer of the information


system, system component, or information system service to:
Define security-relevant hardware, software, and firmware; and
Provide a rationale that the definition for security-relevant
hardware, software, and firmware is complete.
The organization requires the developer of the information
system, system component, or information system service to:
Produce, as an integral part of the development process, a
formal top-level specification that specifies the interfaces to
security-relevant
and additional
firmware ininformal
terms of
Show via proof to hardware,
the extentsoftware,
feasible with
exceptions,
error
messages,
and
effects;
demonstration as necessary, that the formal top-level
specification
is consistent
with thethat
formal
Show via informal
demonstration,
thepolicy
formalmodel;
top-level
specification completely covers the interfaces to securityrelevant
hardware,
software,
and
firmware; is an accurate
Show that
the formal
top-level
specification
description of the implemented security-relevant hardware,
software,
andsecurity-relevant
firmware; and hardware, software, and
Describe the
firmware mechanisms not addressed in the formal top-level
specification
but strictly
to the security-relevant
The organization
requiresinternal
the developer
of the information
hardware,
software,
and
firmware.
system, system component, or information system service to:
Produce, as an integral part of the development process, an
informal descriptive top-level specification that specifies the
interfaces
to security-relevant
hardware, software,
and
Show via [Selection:
informal demonstration,
convincing
firmware
in
terms
of
exceptions,
error
messages,
and
effects;
argument with formal methods as feasible] that the descriptive
top-level
is consistentthat
withthe
thedescriptive
formal policy
Show via specification
informal demonstration,
top-level
model;
specification completely covers the interfaces to securityrelevant
hardware,
software,
and firmware;
Show that
the descriptive
top-level
specification is an accurate
description of the interfaces to security-relevant hardware,
software,
andsecurity-relevant
firmware; and hardware, software, and
Describe the
firmware mechanisms not addressed in the descriptive toplevel
specificationrequires
but strictly
to of
thethe
security-relevant
The organization
the internal
developer
information
hardware,
software,
and
firmware.
system, system component, or information system service to:
Design and structure the security-relevant hardware, software,
and firmware to use a complete, conceptually simple protection
mechanism
with precisely
defined semantics;
and software,
Internally structure
the security-relevant
hardware,
and firmware with specific regard for this mechanism.
The organization requires the developer of the information
system, system component, or information system service to
structure
security-relevant
hardware,
software,
and firmware to
The organization
requires the
developer
of the information
facilitate
testing.
system, system component, or information system service to
structure
security-relevant
hardware,
software,
andprogram
firmware
The organization
implements
a tamper
protection
forto
facilitate
controlling
access
with
least
privilege.
the information system, system component, or information
system
service. employs anti-tamper technologies and
The organization
techniques during multiple phases in the system development
life cycle including design, development, integration,
operations, and maintenance.

The organization inspects [Assignment: organization-defined


information systems, system components, or devices]
[Selection
(one or more): at random; at [Assignment:
The organization:
organization-defined frequency], upon [Assignment:
organization-defined indications of need for inspection]] to
Develops
and implements anti-counterfeit policy and
detect tampering.
procedures that include the means to detect and prevent
counterfeit
components
from entering
information
Reports counterfeit
information
systemthe
components
to system;
and
[Selection (one or more): source of counterfeit component;
[Assignment:
organization-defined
external
reporting
The organization
trains [Assignment:
organization-defined
organizations];
[Assignment:
organization-defined
personnel
personnel or roles] to detect counterfeit information
system or
roles]].
components
(including
hardware,
software,
and firmware).
The organization
maintains
configuration
control
over
[Assignment: organization-defined information system
components]
awaiting
service/repair
and system
serviced/repaired
The organization
disposes
of information
components
components
awaiting
return
to
service.
using [Assignment: organization-defined techniques and
methods].
The organization scans for counterfeit information system
components [Assignment: organization-defined frequency].
The organization re-implements or custom develops
[Assignment: organization-defined critical information system
components].
The organization requires that the developer of [Assignment:
organization-defined information system, system component,
or
information
system
service]:
Have
appropriate
access
authorizations as determined by
assigned [Assignment: organization-defined official government
duties];
and
Satisfy [Assignment:
organization-defined additional personnel
screening criteria].
The organization requires the developer of the information
system, system component, or information system service take
[Assignment:
organization-defined actions] to ensure that the
The organization:
required access authorizations and screening criteria are
satisfied.
Replaces information system components when support for the
components is no longer available from the developer, vendor,
or
manufacturer;
andand documents approval for the continued
Provides
justification
use of unsupported system components required to satisfy
mission/business
needs. [Selection (one or more): in-house
The organization provides
support; [Assignment: organization-defined support from
external
providers]] for unsupported information system
The organization:
components.
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A system and communications protection policy that addresses
purpose, scope, roles, responsibilities, management
commitment,
organizational
Procedures to coordination
facilitate the among
implementation
of theentities,
system and
and
compliance;
and
communications protection policy and associated system and
communications
protection
controls; and
Reviews and updates
the current:

System and communications protection policy [Assignment:


organization-defined frequency]; and
System and communications protection procedures
[Assignment: organization-defined frequency].
The information system separates user functionality (including
user interface services) from information system management
functionality.
The information system prevents the presentation of
information system management-related functionality at an
interface
for non-privileged
users.
The information
system isolates
security functions from
nonsecurity functions.
The information system utilizes underlying hardware separation
mechanisms to implement security function isolation.
The information system isolates security functions enforcing
access and information flow control from nonsecurity functions
and
from other security
functions.
The organization
minimizes
the number of nonsecurity
functions included within the isolation boundary containing
security
functions.
The organization
implements security functions as largely
independent modules that maximize internal cohesiveness
within
modules and
minimize security
couplingfunctions
between as
modules.
The organization
implements
a layered
structure minimizing interactions between layers of the design
and
avoiding anysystem
dependence
by unauthorized
lower layers on
the
The information
prevents
and
unintended
functionality
or
correctness
of
higher
layers.
information transfer via shared system resources.
[Withdrawn: Incorporated into SC-4].
The information system prevents unauthorized information
transfer via shared resources in accordance with [Assignment:
organization-defined
procedures]
when system
processing
The information system
protects against
or limits
the effects of
explicitly
switches
between
different
information
classification
the following types of denial of service attacks: [Assignment:
levels
or security categories.
organization-defined
types
of denial
service
attacks or to
The information system
restricts
the of
ability
of individuals
references
to
sources
for
such
information]
by
employing
launch [Assignment: organization-defined denial of service
[Assignment:
organization-defined
security safeguards].
attacks]
against
other information
systems.
The information
system
manages excess
capacity, bandwidth,
or other redundancy to limit the effects of information flooding
denial
of service attacks.
The organization:
Employs [Assignment: organization-defined monitoring tools] to
detect indicators of denial of service attacks against the
information
system; and
Monitors [Assignment:
organization-defined information system
resources] to determine if sufficient resources exist to prevent
effective
denial of
service
attacks.
The information
system
protects
the availability of resources by
allocating [Assignment: organization-defined resources] by
[Selection
(one or
more); priority; quota; [Assignment:
The information
system:
organization-defined security safeguards]].
Monitors and controls communications at the external
boundary of the system and at key internal boundaries within
the system;

Implements subnetworks for publicly accessible system


components that are [Selection: physically; logically] separated
from
internal
organizational
networks;
and
Connects
to external
networks
or information
systems only
through managed interfaces consisting of boundary protection
devices
arranged
in accordance
with an organizational security
[Withdrawn:
Incorporated
into SC-7].
architecture.
[Withdrawn: Incorporated into SC-7].
The organization limits the number of external network
connections to the information system.
The organization:
Implements a managed interface for each external
telecommunication service;
Establishes a traffic flow policy for each managed interface;
Protects the confidentiality and integrity of the information
being transmitted across each interface;
Documents each exception to the traffic flow policy with a
supporting mission/business need and duration of that need;
and
Reviews exceptions to the traffic flow policy [Assignment:
organization-defined frequency] and removes exceptions that
are
longer supported
bymanaged
an explicit
mission/business
need.
The no
information
system at
interfaces
denies network
communications traffic by default and allows network
communications
traffic by into
exception
(i.e., deny all, permit by
[Withdrawn: Incorporated
SC-7 (18)].
exception).
The information system, in conjunction with a remote device,
prevents the device from simultaneously establishing nonremote
connections
withroutes
the system
and communicating
The information
system
[Assignment:
organization-via
some
other
connection
to
resources
in
external
networks.
defined internal communications traffic] to [Assignment:
organization-defined
external networks] through authenticated
The information system:
proxy servers at managed interfaces.
Detects and denies outgoing communications traffic posing a
threat to external information systems; and
Audits the identity of internal users associated with denied
communications.
The organization prevents the unauthorized exfiltration of
information across managed interfaces.
The information system only allows incoming communications
from [Assignment: organization-defined authorized sources] to
be
to [Assignment:
organization-defined
authorized
Therouted
organization
implements
[Assignment: organizationdestinations].
defined host-based boundary protection mechanisms] at
[Assignment:
organization-defined
information
system
The organization
isolates [Assignment:
organization-defined
components].
information security tools, mechanisms, and support
components] from other internal information system
components by implementing physically separate subnetworks
with managed interfaces to other components of the system.

The organization protects against unauthorized physical


connections at [Assignment: organization-defined managed
interfaces].
The information system routes all networked, privileged
accesses through a dedicated, managed interface for purposes
of
access
controlsystem
and auditing.
The
information
prevents discovery of specific system
components composing a managed interface.
The information system enforces adherence to protocol
formats.
The information system fails securely in the event of an
operational failure of a boundary protection device.
The information system blocks both inbound and outbound
communications traffic between [Assignment: organizationdefined
communication
independently
The information
system clients]
providesthat
theare
capability
to dynamically
configured
by
end
users
and
external
service
providers.
isolate/segregate [Assignment: organization-defined
information
system
components]
from
other components
of the
The organization
employs
boundary
protection
mechanisms
to
system.
separate [Assignment: organization-defined information system
components]
supporting
[Assignment:
organization-defined
The information
system implements
separate
network
missions
and/or
business
functions].
addresses (i.e., different subnets) to connect to systems in
different
securitysystem
domains.
The information
disables feedback to senders on
protocol format validation failure.
The information system protects the [Selection (one or more):
confidentiality; integrity] of transmitted information.
The information system implements cryptographic mechanisms
to [Selection (one or more): prevent unauthorized disclosure of
information;
detect
changes
to information]
during
The information
system
maintains
the [Selection
(one or more):
transmission
unless
otherwise
protected
by
[Assignment:
confidentiality; integrity] of information during preparation for
organization-defined
alternative
physical safeguards].
transmission
andsystem
during
reception.
The information
implements
cryptographic mechanisms
to protect message externals unless otherwise protected by
[Assignment:
organization-defined
alternative
physical
The information
system implements
cryptographic
mechanisms
safeguards].
to conceal or randomize communication patterns unless
otherwise
protected
by [Assignment:
[Withdrawn:
Incorporated
into SC-8]. organization-defined
alternative physical safeguards].
The information system terminates the network connection
associated with a communications session at the end of the
session
or after [Assignment:
organization-defined
time period]
The information
system establishes
a trusted communications
of
inactivity.
path between the user and the following security functions of
the
[Assignment:
organization-defined
security
The system:
information
system provides
a trusted communications
functions
to
include
at
a
minimum,
information
system
path that is logically isolated and distinguishable
from other
authentication
and
re-authentication].
paths.
The organization establishes and manages cryptographic keys
for required cryptography employed within the information
system
in accordance
with [Assignment:
The organization
maintains
availability oforganization-defined
information in the
requirements
for
key
generation,
storage, access,
event of the loss of cryptographicdistribution,
keys by users.
and destruction].
The organization produces, controls, and distributes symmetric
cryptographic keys using [Selection: NIST FIPS-compliant; NSAapproved] key management technology and processes.

The organization produces, controls, and distributes


asymmetric cryptographic keys using [Selection: NSA-approved
key
management
technology
processes; approved PKI
[Withdrawn:
Incorporated
intoand
SC-12].
Class 3 certificates or prepositioned keying material; approved
PKI Class 3 or Class 4 certificates and hardware security tokens
[Withdrawn:
Incorporated
into SC-12].
that protect the
users private
key].
The information system implements [Assignment: organizationdefined cryptographic uses and type of cryptography required
for
each use]Incorporated
in accordance
with
applicable federal laws,
[Withdrawn:
into
SC-13].
Executive Orders, directives, policies, regulations, and
standards.
[Withdrawn: Incorporated into SC-13].
[Withdrawn: Incorporated into SC-13].
[Withdrawn: Incorporated into SC-13].
[Withdrawn: Capability provided by AC-2, AC-3, AC-5, AC-6, SI3, SI-4, SI-5, SI-7, SI-10].
The information system:
Prohibits remote activation of collaborative computing devices
with the following exceptions: [Assignment: organizationdefined
remote
activation
to be allowed];
Providesexceptions
an explicit where
indication
of use
to usersisphysically
present
and
at the devices.
The information system provides physical disconnect of
collaborative computing devices in a manner that supports
ease
of use. Incorporated into SC-7].
[Withdrawn:
The organization disables or removes collaborative computing
devices from [Assignment: organization-defined information
systems
or information
components]
in [Assignment:
The information
systemsystem
provides
an explicit indication
of
organization-defined
secure
work
areas].
current participants in [Assignment: organization-defined online
meetings
and teleconferences].
The information
system associates [Assignment: organizationdefined security attributes] with information exchanged
between
information
systems
andthe
between
system
The information
system
validates
integrity
of transmitted
components.
security attributes.
The organization issues public key certificates under an
[Assignment: organization-defined certificate policy] or obtains
public
key certificates from an approved service provider.
The organization:
Defines acceptable and unacceptable mobile code and mobile
code technologies;
Establishes usage restrictions and implementation guidance for
acceptable mobile code and mobile code technologies; and

Authorizes, monitors, and controls the use of mobile code


within the information system.
The information system identifies [Assignment: organizationdefined unacceptable mobile code] and takes [Assignment:
organization-defined
corrective
actions].
The organization ensures
that the
acquisition, development,
and use of mobile code to be deployed in the information
system
meets [Assignment:
organization-defined
mobile
code
The information
system prevents
the download and
execution
requirements].
of [Assignment: organization-defined unacceptable mobile
code].
The information system prevents the automatic execution of
mobile code in [Assignment: organization-defined software
applications]
and allows
enforces
[Assignment:
organization-defined
The organization
execution
of permitted
mobile code
actions]
prior
to
executing
the
code.
only in confined virtual machine environments.
The organization:
Establishes usage restrictions and implementation guidance for
Voice over Internet Protocol (VoIP) technologies based on the
potential
to monitors,
cause damage
to the information
system
if used
Authorizes,
and controls
the use of VoIP
within
the
maliciously;
and
information system.
The information system:
Provides additional data origin authentication and integrity
verification artifacts along with the authoritative name
resolution
data
the system
returns
response
to external
Provides the
means
to indicate
the in
security
status
of child
name/address
resolution
queries;
and
zones and (if the child supports secure resolution services) to
enable
verification
of a chain
trust among parent and child
[Withdrawn:
Incorporated
intoofSC-20].
domains, when operating as part of a distributed, hierarchical
namespace.
The information system provides data origin and integrity
protection artifacts for internal name/address resolution
queries.
The information system requests and performs data origin
authentication and data integrity verification on the
name/address
resolution responses
the system receives from
[Withdrawn: Incorporated
into SC-21].
authoritative sources.
The information systems that collectively provide
name/address resolution service for an organization are faulttolerant
and implement
role separation.
The information
system internal/external
protects the authenticity
of
communications sessions.
The information system invalidates session identifiers upon
user logout or other session termination.
[Withdrawn: Incorporated into AC-12 (1)].
The information system generates a unique session identifier
for each session with [Assignment: organization-defined
randomness
requirements]into
andSC-23
recognizes
[Withdrawn: Incorporated
(3)]. only session
identifiers that are system-generated.

The information system only allows the use of [Assignment:


organization-defined certificate authorities] for verification of
the
of protected
The establishment
information system
fails to sessions.
a [Assignment: organizationdefined known-state] for [Assignment: organization-defined
types
of failures] employs
preserving
[Assignment:
organization-defined
The organization
[Assignment:
organization-defined
system
state
information]
in
failure.
information system components] with minimal functionality
and
information system
storage.includes components specifically
The information
designed to be the target of malicious attacks for the purpose
of
detecting, Incorporated
deflecting, and
analyzing
[Withdrawn:
into
SC-35]. such attacks.
The information system includes: [Assignment: organizationdefined platform-independent applications].
The information system protects the [Selection (one or more):
confidentiality; integrity] of [Assignment: organization-defined
information
at rest].
The information
system implements cryptographic mechanisms
to prevent unauthorized disclosure and modification of
[Assignment:
organization-defined
information]
on stores offThe organization
removes from online
storage and
[Assignment:
organization-defined
information
system
line in a secure location [Assignment: organization-defined
components].
information].
The organization employs a diverse set of information
technologies for [Assignment: organization-defined information
system
components]
in thevirtualization
implementation
of the information
The organization
employs
techniques
to support
system.
the deployment of a diversity of operating systems and
applications
that are
changed
[Assignment:
organizationThe organization
employs
[Assignment:
organization-defined
defined
frequency].
concealment and misdirection techniques] for [Assignment:
organization-defined
information
systems]
[Withdrawn: Incorporated
into SC-29
(1)]. at [Assignment:
organization-defined time periods] to confuse and mislead
adversaries.
The organization employs [Assignment: organization-defined
techniques] to introduce randomness into organizational
operations
and assets.
The organization
changes the location of [Assignment:
organization-defined processing and/or storage] [Selection:
[Assignment:
organization-defined
frequency];information
at random
The organization
employs realistic, time
but misleading
time
intervals]].
in [Assignment: organization-defined information system
components]
withemploys
regard to
its security state
or posture.
The organization
[Assignment:
organization-defined
techniques] to hide or conceal [Assignment: organizationdefined
information system components].
The organization:
Performs a covert channel analysis to identify those aspects of
communications within the information system that are
potential
for covert
[Selection
(one or
more): storage;
Estimatesavenues
the maximum
bandwidth
of those
channels.
timing] channels; and
The organization tests a subset of the identified covert
channels to determine which channels are exploitable.
The organization reduces the maximum bandwidth for
identified covert [Selection (one or more); storage; timing]
channels to [Assignment: organization-defined values].

The organization measures the bandwidth of [Assignment:


organization-defined subset of identified covert channels] in
the
of information
the information
system.
The operational
organizationenvironment
partitions the
system
into
[Assignment: organization-defined information system
components]
residing in separate
physical domains or
[Withdrawn: Incorporated
into SC-8].
environments based on [Assignment: organization-defined
circumstances for physical separation of components].
The information system at [Assignment: organization-defined
information system components]:
Loads and executes the operating environment from hardwareenforced, read-only media; and
Loads and executes [Assignment: organization-defined
applications] from hardware-enforced, read-only media.
The organization employs [Assignment: organization-defined
information system components] with no writeable storage that
is
persistent
across
component
restart or
on/off.prior to
The
organization
protects
the integrity
of power
information
storage on read-only media and controls the media after such
information
has been recorded onto the media.
The organization:
Employs hardware-based, write-protect for [Assignment:
organization-defined information system firmware
components];
and procedures for [Assignment: organizationImplements specific
defined authorized individuals] to manually disable hardware
write-protect
for system
firmware
modifications
and re-enable
the
The information
includes
components
that proactively
write-protect
prior
to
returning
to
operational
mode.
seek to identify malicious websites and/or web-based malicious
code.
The organization distributes [Assignment: organization-defined
processing and storage] across multiple physical locations.
The organization employs polling techniques to identify
potential faults, errors, or compromises to [Assignment:
organization-defined
distributed
processing
and storage
The organization employs
[Assignment:
organization-defined
components].
out-of-band channels] for the physical delivery or electronic
transmission
of [Assignment:
organization-defined
information,
The organization
employs [Assignment:
organization-defined
information
system
components,
or
devices]
to
[Assignment:
security safeguards] to ensure that only [Assignment:
organization-defined
individuals
or
systems].
organization-defined
individuals
or information
information
systems]
The organization employs
[Assignment:
organization-defined
receive
the
[Assignment:
organization-defined
information,
operations security safeguards] to protect key organizational
information
system
components,
ordevelopment
devices].
information
throughout
system
life cycle.
The information
system the
maintains
a separate execution
domain
for each executing process.
The information system implements underlying hardware
separation mechanisms to facilitate process separation.
The information system maintains a separate execution domain
for each thread in [Assignment: organization-defined multithreaded
processing].
The information
system protects external and internal
[Assignment: organization-defined wireless links] from
[Assignment:
organization-defined
types
of signal parameter
The information
system implements
cryptographic
mechanisms
attacks
or
references
to
sources
for
such
attacks].
that achieve [Assignment: organization-defined level of
protection] against the effects of intentional electromagnetic
interference.

The information system implements cryptographic mechanisms


to reduce the detection potential of wireless links to
[Assignment:
organization-defined
level
of reduction].
The information
system implements
cryptographic
mechanisms
to identify and reject wireless transmissions that are deliberate
attempts
to achieve
imitative
or manipulative
communications
The information
system
implements
cryptographic
mechanisms
deception
based
on
signal
parameters.
to prevent the identification of [Assignment: organizationdefined
wireless transmitters]
by using
the transmitter
signal
The organization
physically disables
or removes
[Assignment:
parameters.
organization-defined connection ports or input/output devices]
on
organization-defined information systems or
The[Assignment:
information system:
information system components].
Prohibits the remote activation of environmental sensing
capabilities with the following exceptions: [Assignment:
organization-defined
exceptions
activation of
Provides an explicit indication
of where
sensorremote
use to [Assignment:
sensors
is
allowed];
and
organization-defined class of users].
The organization ensures that the information system is
configured so that data or information collected by the
[Assignment:
organization-defined
sensors]
is only reported to
The organization
employs the following
measures:
authorized
individuals
or
roles.
[Assignment: organization-defined measures], so that data or
information
collected
by [Assignment:
organization-defined
The organization
prohibits
the use of devices
possessing
sensors]
is
only
used
for
authorized
purposes.
[Assignment: organization-defined environmental sensing
capabilities]
in [Assignment: organization-defined facilities,
The organization:
areas, or systems].
Establishes usage restrictions and implementation guidance for
[Assignment: organization-defined information system
components]
based onand
thecontrols
potential
touse
cause
damage
to the
Authorizes, monitors,
the
of such
components
information
system
if
used
maliciously;
and
within the information system.
The organization employs a detonation chamber capability
within [Assignment: organization-defined information system,
system
component, or location].
The organization:
Develops, documents, and disseminates to [Assignment:
organization-defined personnel or roles]:
A system and information integrity policy that addresses
purpose, scope, roles, responsibilities, management
commitment,
organizational
Procedures to coordination
facilitate the among
implementation
of theentities,
system and
and
compliance;
and
information integrity policy and associated system and
information
and
Reviews andintegrity
updatescontrols;
the current:
System and information integrity policy [Assignment:
organization-defined frequency]; and
System and information integrity procedures [Assignment:
organization-defined frequency].
The organization:

Identifies, reports, and corrects information system flaws;


Tests software and firmware updates related to flaw
remediation for effectiveness and potential side effects before
installation;
Installs security-relevant software and firmware updates within
[Assignment: organization-defined time period] of the release
of
the updates;
and
Incorporates
flaw
remediation into the organizational
configuration management process.
The organization centrally manages the flaw remediation
process.
The organization employs automated mechanisms
[Assignment: organization-defined frequency] to determine the
state
of information system components with regard to flaw
The organization:
remediation.
Measures the time between flaw identification and flaw
remediation; and
Establishes [Assignment: organization-defined benchmarks] for
taking corrective actions.
[Withdrawn: Incorporated into SI-2].
The organization installs [Assignment: organization-defined
security-relevant software and firmware updates] automatically
to
[Assignment:
information
system
The
organizationorganization-defined
removes [Assignment:
organization-defined
components].
software and firmware components] after updated versions
have
been installed.
The organization:
Employs malicious code protection mechanisms at information
system entry and exit points to detect and eradicate malicious
code;
Updates malicious code protection mechanisms whenever new
releases are available in accordance with organizational
configuration
management
policy andmechanisms
procedures; to:
Configures malicious
code protection
Perform periodic scans of the information system [Assignment:
organization-defined frequency] and real-time scans of files
from
external
at [Selection
(one or
more);
endpoint;
[Selection
(onesources
or more):
block malicious
code;
quarantine
network
entry/exit
points]
as
the
files
are
downloaded,
opened,
malicious code; send alert to administrator; [Assignment:
or
executed in accordance
with organizational
securitycode
policy;
organization-defined
response
to malicious
Addresses
the receiptaction]]
of falsein
positives
during
malicious code
and
detection;
anderadication and the resulting potential impact on
detection and
the
ofcentrally
the information
system.
The availability
organization
manages
malicious code protection
mechanisms.
The information system automatically updates malicious code
protection mechanisms.
[Withdrawn: Incorporated into AC-6 (10)].

The information system updates malicious code protection


mechanisms only when directed by a privileged user.
[Withdrawn: Incorporated into MP-7].
The organization:
Tests malicious code protection mechanisms [Assignment:
organization-defined frequency] by introducing a known
benign,
non-spreading
test case
information
system;
Verifies that
both detection
of theinto
testthe
case
and associated
and
incident reporting occur.
The information system implements nonsignature-based
malicious code detection mechanisms.
The information system detects [Assignment: organizationdefined unauthorized operating system commands] through
the
application
programming
at [Assignment:
The kernel
information
system
implements interface
[Assignment:
organizationorganization-defined
information
system
hardware
defined security safeguards] to authenticate [Assignment:
components]
and [Selection
or more): issues a warning;
organization-defined
remote (one
commands].
The
organization:
audits
the command execution; prevents the execution of the
command].
Employs [Assignment: organization-defined tools and
techniques] to analyze the characteristics and behavior of
malicious
code;
Incorporates
theand
results from malicious code analysis into
organizational incident response and flaw remediation
processes.
The organization:
Monitors the information system to detect:
Attacks and indicators of potential attacks in accordance with
[Assignment: organization-defined monitoring objectives]; and
Unauthorized local, network, and remote connections;
Identifies unauthorized use of the information system through
[Assignment: organization-defined techniques and methods];
Deploys monitoring devices:
Strategically within the information system to collect
organization-determined essential information; and
At ad hoc locations within the system to track specific types of
transactions of interest to the organization;
Protects information obtained from intrusion-monitoring tools
from unauthorized access, modification, and deletion;
Heightens the level of information system monitoring activity
whenever there is an indication of increased risk to
organizational
operations
assets,
individuals,system
other
Obtains legal opinion
withand
regard
to information
organizations,
or
the
Nation
based
on
law
enforcement
monitoring activities in accordance with applicable federal
information,
intelligence
information,
or other
sources
laws, Executive
Orders, directives,
policies,
or credible
regulations;
and
of information;

Provides [Assignment: organization-defined information system


monitoring information] to [Assignment: organization-defined
personnel
or roles]
[Selection
or more):
as needed;
The organization
connects
and(one
configures
individual
intrusion
[Assignment:
organization-defined
frequency]].
detection tools into an information system-wide intrusion
detection
system.employs automated tools to support near
The organization
real-time analysis of events.
The organization employs automated tools to integrate
intrusion detection tools into access control and flow control
mechanisms
for system
rapid response
toinbound
attacks and
by enabling
The information
monitors
outbound
reconfiguration
of
these
mechanisms
in
support
of attack
communications traffic [Assignment: organization-defined
isolation
and
elimination.
frequency]
for unusual
unauthorized
activities
or conditions.
The information
systemor
alerts
[Assignment:
organizationdefined personnel or roles] when the following indications of
compromise
or potential compromise
occur: [Assignment:
[Withdrawn: Incorporated
into AC-6 (10)].
organization-defined compromise indicators].
The information system notifies [Assignment: organizationdefined incident response personnel (identified by name and/or
by
role)] of detected
suspicious
events and takes [Assignment:
[Withdrawn:
Incorporated
into SI-4].
organization-defined least-disruptive actions to terminate
suspicious events].
The organization tests intrusion-monitoring tools [Assignment:
organization-defined frequency].
The organization makes provisions so that [Assignment:
organization-defined encrypted communications traffic] is
visible
to [Assignment:
organization-defined
information
The organization
analyzes
outbound communications
traffic at
system
monitoring
tools].
the external boundary of the information system and selected
[Assignment:
organization-defined
interior
points within
the
The organization
employs automated
mechanisms
to alert
system
(e.g.,
subnetworks,
subsystems)]
to
discover
security personnel of the following inappropriate or unusual
anomalies.
activities
with security implications: [Assignment: organizationThe organization:
defined activities that trigger alerts].
Analyzes communications traffic/event patterns for the
information system;
Develops profiles representing common traffic patterns and/or
events; and
Uses the traffic/event profiles in tuning system-monitoring
devices to reduce the number of false positives and the
number
of false negatives.
The organization
employs a wireless intrusion detection system
to identify rogue wireless devices and to detect attack
attempts
and potential
compromises/breaches
tosystem
the
The organization
employs
an intrusion detection
to
information
system.
monitor wireless communications traffic as the traffic passes
from
wireless to wireline
networks.
The organization
correlates
information from monitoring tools
employed throughout the information system.
The organization correlates information from monitoring
physical, cyber, and supply chain activities to achieve
integrated,
organization-wide
situational
awareness. traffic at
The organization
analyzes outbound
communications
the external boundary of the information system (i.e., system
perimeter) and at [Assignment: organization-defined interior
points within the system (e.g., subsystems, subnetworks)] to
detect covert exfiltration of information.

The organization implements [Assignment: organizationdefined additional monitoring] of individuals who have been
identified
by [Assignment:
organization-defined
sources] as
The organization
implements
[Assignment: organizationposing
increased
level of risk.
definedan
additional
monitoring]
of privileged users.
The organization implements [Assignment: organizationdefined additional monitoring] of individuals during
[Assignment:
organization-defined
probationary
The information
system detects network
servicesperiod].
that have not
been authorized or approved by [Assignment: organizationdefined
authorization
or approval
processes]
and [Selection
The organization
implements
[Assignment:
organization(one
or
more):
audits;
alerts
[Assignment:
organization-defined
defined host-based monitoring mechanisms] at [Assignment:
personnel
or roles]]. information system components].
organization-defined
The information system
discovers, collects, distributes, and
uses indicators of compromise.
The organization:
Receives information system security alerts, advisories, and
directives from [Assignment: organization-defined external
organizations]
on an
ongoing
basis;advisories, and directives as
Generates internal
security
alerts,
deemed necessary;
Disseminates security alerts, advisories, and directives to:
[Selection (one or more): [Assignment: organization-defined
personnel
orsecurity
roles]; [Assignment:
organization-defined
Implements
directives in accordance
with established
elements
within
the
organization];
organizationtime frames, or notifies the issuing [Assignment:
organization of
the degree
defined
external
organizations]];
and
of
noncompliance.
The organization employs automated mechanisms to make
security alert and advisory information available throughout
the
The organization.
information system:
Verifies the correct operation of [Assignment: organizationdefined security functions];
Performs this verification [Selection (one or more):
[Assignment: organization-defined system transitional states];
upon
command
by user
with appropriate privilege;
Notifies
[Assignment:
organization-defined
personnel or roles]
[Assignment:
organization-defined
frequency]];
of failed security verification tests; and
[Selection (one or more): shuts the information system down;
restarts the information system; [Assignment: organizationdefined
alternative
action(s)]]
[Withdrawn:
Incorporated
into when
SI-6]. anomalies are discovered.
The information system implements automated mechanisms to
support the management of distributed security testing.
The organization reports the results of security function
verification to [Assignment: organization-defined personnel or
roles].
The organization employs integrity verification tools to detect
unauthorized changes to [Assignment: organization-defined
software,
firmware,
and information].
The information
system
performs an integrity check of
[Assignment: organization-defined software, firmware, and
information] [Selection (one or more): at startup; at
[Assignment: organization-defined transitional states or
security-relevant events]; [Assignment: organization-defined
frequency]].

The organization employs automated tools that provide


notification to [Assignment: organization-defined personnel or
roles]
upon discovering
discrepancies
during integrity
The organization
employs
centrally managed
integrity
verification.
verification tools.
[Withdrawn: Incorporated into SA-12].
The information system automatically [Selection (one or more):
shuts the information system down; restarts the information
system;
implements
[Assignment:
organization-defined
The information
system
implements
cryptographic mechanisms
security
safeguards]]
when
integrity
violations
are discovered.
to detect unauthorized changes to software,
firmware,
and
information.
The organization incorporates the detection of unauthorized
[Assignment: organization-defined security-relevant changes to
the
organizational
incident
The information
information system]
system, into
uponthe
detection
of a potential
integrity
response
capability.
violation, provides the capability to audit the event and
initiates
the following
actions:
[Selection
(oneoforthe
more):
The information
system
verifies
the integrity
boot
generates
an
audit
record;
alerts
current
user;
alerts
process of [Assignment: organization-defined devices].
[Assignment: organization-defined personnel or roles];
The
information
system implements
[Assignment:
[Assignment:
organization-defined
other
actions]]. organizationdefined security safeguards] to protect the integrity of boot
firmware
in [Assignment:
devices].
The organization
requires organization-defined
that [Assignment: organizationdefined user-installed software] execute in a confined physical
or
virtual
machinerequires
environment
with
limitedof
privileges.
The
organization
that the
integrity
[Assignment:
organization-defined user-installed software] be verified prior to
execution.
The organization allows execution of binary or machineexecutable code obtained from sources with limited or no
warranty
and without the provision of source code only in
The organization:
confined physical or virtual machine environments and with the
explicit approval of [Assignment: organization-defined
Prohibits
of binary or machine-executable code from
personnelthe
or use
roles].
sources with limited or no warranty and without the provision
of
sourceexceptions
code; and to the source code requirement only for
Provides
compelling mission/operational requirements and with the
approval
of the authorizing
official. cryptographic mechanisms
The information
system implements
to authenticate [Assignment: organization-defined software or
firmware
components]
prior
to installation.
The organization
does not
allow
processes to execute without
supervision for more than [Assignment: organization-defined
time
period].
The organization:
Employs spam protection mechanisms at information system
entry and exit points to detect and take action on unsolicited
messages;
andprotection mechanisms when new releases are
Updates spam
available in accordance with organizational configuration
management
policy
and procedures.
The organization
centrally
manages spam protection
mechanisms.
The information system automatically updates spam protection
mechanisms.

The information system implements spam protection


mechanisms with a learning capability to more effectively
identify
legitimate
communications
[Withdrawn:
Incorporated
into AC-2,traffic.
AC-3, AC-5, AC-6].
The information system checks the validity of [Assignment:
organization-defined information inputs].
The information system:
Provides a manual override capability for input validation of
[Assignment: organization-defined inputs];
Restricts the use of the manual override capability to only
[Assignment: organization-defined authorized individuals]; and
Audits the use of the manual override capability.
The organization ensures that input validation errors are
reviewed and resolved within [Assignment: organizationdefined
time period].
The information
system behaves in a predictable and
documented manner that reflects organizational and system
objectives
when invalid
inputs
are received.
The organization
accounts
for timing
interactions among
information system components in determining appropriate
responses
for invalid
inputs.
The organization
restricts
the use of information inputs to
[Assignment: organization-defined trusted sources] and/or
[Assignment:
organization-defined
formats].
The information
system:
Generates error messages that provide information necessary
for corrective actions without revealing information that could
be
exploited
adversaries;
Reveals
errorby
messages
only and
to [Assignment: organizationdefined personnel or roles].
The organization handles and retains information within the
information system and information output from the system in
accordance
with applicable federal laws, Executive Orders,
The organization:
directives, policies, regulations, standards, and operational
requirements.
Determines mean time to failure (MTTF) for [Assignment:
organization-defined information system components] in
specific
of operation;
andcomponents and a
Providesenvironments
substitute information
system
means to exchange active and standby components at
[Assignment:
organization-defined
substitution
criteria].
The organization
takes information MTTF
system
components
out of
service by transferring component responsibilities to substitute
components
no later than into
[Assignment:
[Withdrawn: Incorporated
SI-7 (16)].organization-defined
fraction or percentage] of mean time to failure.
The organization manually initiates transfers between active
and standby information system components [Assignment:
organization-defined
frequency]system
if the mean
time tofailures
failure are
The organization, if information
component
exceeds
[Assignment:
organization-defined
time
period].
detected:

Ensures that the standby components are successfully and


transparently installed within [Assignment: organizationdefined
time
period];
and activates [Assignment: organization[Selection
(one
or more):
defined alarm]; automatically shuts down the information
system].
The organization provides [Selection: real-time; near real-time]
[Assignment: organization-defined failover capability] for the
information
system.
The organization
implements non-persistent [Assignment:
organization-defined information system components and
services]
that areensures
initiatedthat
in asoftware
known state
and terminated
The organization
and data
employed
[Selection
(one
or
more):
upon
end
of
session
of use;
during information system component and service
refreshes
periodically
atfrom
[Assignment:
organization-defined
frequency]].
are
obtained
[Assignment:
organization-defined
trusted
The information system validates information output from
sources].
[Assignment: organization-defined software programs and/or
applications]
to ensure
the information
is consistent
with
The information
systemthat
implements
[Assignment:
organizationthe
expected
content.
defined security safeguards] to protect its memory from
unauthorized
code
execution.
The information
system
implements [Assignment: organizationdefined fail-safe procedures] when [Assignment: organizationdefined
failure conditions occur].
The organization:
Develops and disseminates an organization-wide information
security program plan that:
Provides an overview of the requirements for the security
program and a description of the security program
management
controls and and
common
controls
place or
Includes the identification
assignment
ofinroles,
planned
for
meeting
those
requirements;
responsibilities, management commitment, coordination
among
entities,
and compliance;
Reflectsorganizational
coordination among
organizational
entities responsible
for the different aspects of information security (i.e., technical,
physical,
personnel,
cyber-physical);
and
Is approved
by a senior
official with responsibility
and
accountability for the risk being incurred to organizational
operations
mission, functions,
image,
andprogram
Reviews the(including
organization-wide
information
security
reputation),
organizational
assets,
individuals,
other
plan [Assignment: organization-defined frequency];
organizations, and the Nation;
Updates the plan to address organizational changes and
problems identified during plan implementation or security
control
andsecurity program plan from
Protectsassessments;
the information
unauthorized disclosure and modification.
The organization appoints a senior information security officer
with the mission and resources to coordinate, develop,
implement,
and maintain an organization-wide information
The organization:
security program.
Ensures that all capital planning and investment requests
include the resources needed to implement the information
security
and
documents300/Exhibit
all exceptions
to record
this
Employs program
a business
case/Exhibit
53 to
the
requirement;
resources required; and
Ensures that information security resources are available for
expenditure as planned.

The organization:
Implements a process for ensuring that plans of action and
milestones for the security program and associated
organizational
systems:
Are developed information
and maintained;
Document the remedial information security actions to
adequately respond to risk to organizational operations and
assets,
individuals,
other organizations,
and reporting
the Nation; and
Are reported
in accordance
with OMB FISMA
requirements.
Reviews plans of action and milestones for consistency with the
organizational risk management strategy and organizationwide
priorities fordevelops
risk response
actions. an inventory of its
The organization
and maintains
information systems.
The organization develops, monitors, and reports on the results
of information security measures of performance.
The organization develops an enterprise architecture with
consideration for information security and the resulting risk to
organizational
operations,
assets, issues
individuals,
The organization
addressesorganizational
information security
in the
other
organizations,
and
the
Nation.
development, documentation, and updating of a critical
infrastructure
and key resources protection plan.
The organization:
Develops a comprehensive strategy to manage risk to
organizational operations and assets, individuals, other
organizations,
and
Nation associated
with
the operation
Implements the
riskthe
management
strategy
consistently
across
and
use
of
information
systems;
the organization; and
Reviews and updates the risk management strategy
[Assignment: organization-defined frequency] or as required, to
address
organizational changes.
The organization:
Manages (i.e., documents, tracks, and reports) the security
state of organizational information systems and the
environments
in which to
those
systems
through security
Designates individuals
fulfill
specificoperate
roles and
authorization
processes;
responsibilities within the organizational risk management
process;
and
Fully integrates
the security authorization processes into an
organization-wide risk management program.
The organization:
Defines mission/business processes with consideration for
information security and the resulting risk to organizational
operations,
assets, individuals,
other
Determines organizational
information protection
needs arising
from the
organizations,
and
the
Nation;
and
defined mission/business processes and revises the processes
as
until
achievablean
protection
needsprogram
are obtained.
Thenecessary,
organization
implements
insider threat
that
includes a cross-discipline insider threat incident handling
team.

The organization establishes an information security workforce


development and improvement program.
The organization:
Implements a process for ensuring that organizational plans for
conducting security testing, training, and monitoring activities
associated
withand
organizational
systems:
Are developed
maintained;information
and
Continue to be executed in a timely manner;
Reviews testing, training, and monitoring plans for consistency
with the organizational risk management strategy and
organization-wide
priorities for
risk
response actions.
The organization establishes
and
institutionalizes
contact with
selected groups and associations within the security
community:
To facilitate ongoing security education and training for
organizational personnel;
To maintain currency with recommended security practices,
techniques, and technologies; and
To share current security-related information including threats,
vulnerabilities, and incidents.
The organization implements a threat awareness program that
includes a cross-organization information-sharing capability.

SUPPLEMENTAL GUIDANCE
This control addresses the establishment of policy and
procedures for the effective implementation of selected
security controls and control enhancements in the AC family.
Policy and procedures reflect applicable federal laws, Executive
Orders, directives, regulations, policies, standards, and
guidance. Security program policies and procedures at the
organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be
included as part of the general information security policy for
organizations or conversely, can be represented by multiple
policies reflecting the complex nature of certain organizations.
The procedures can be established for the security program in
general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in
establishing policy and procedures.
Information system account types include, for example,
individual, shared, group, system, guest/anonymous,
emergency, developer/manufacturer/vendor, temporary, and
service. Some of the account management requirements listed
above can be implemented by organizational information
systems. The identification of authorized users of the
information system and the specification of access privileges
reflects the requirements in other security controls in the
security plan. Users requiring administrative privileges on
information system accounts receive additional scrutiny by
appropriate organizational personnel (e.g., system owner,
mission/business owner, or chief information security officer)
responsible for approving such accounts and privileged access.
Organizations may choose to define access privileges or other
attributes by account, by type of account, or a combination of
both. Other attributes required for authorizing access include,
for example, restrictions on time-of-day, day-of-week, and
point-of-origin. In defining other account attributes,
organizations consider system-related requirements (e.g.,
scheduled maintenance, system upgrades) and
mission/business requirements, (e.g., time zone differences,
customer requirements, remote access to support travel
requirements). Failure to consider these factors could affect
information system availability. Temporary and emergency
accounts are accounts intended for short-term use.
Organizations establish temporary accounts as a part of normal
account activation procedures when there is a need for shortterm accounts without the demand for immediacy in account
activation. Organizations establish emergency accounts in
response to crisis situations and with the need for rapid
account activation. Therefore, emergency account activation
may bypass normal account authorization processes.
Emergency and temporary accounts are not to be confused
with infrequently used accounts (e.g., local logon accounts
used for special tasks defined by organizations or when
network resources are unavailable). Such accounts remain
available and are not subject to automatic disabling or removal
dates. Conditions for disabling or deactivating accounts

The use of automated mechanisms can include, for example:


using email or text messaging to automatically notify account
managers
users are terminated
transferred;
using the
This controlwhen
enhancement
requires theorremoval
of both
information
system
to
monitor
account
usage;
and
using
temporary and emergency accounts automatically after a
telephonic
to report
atypicalrather
system
account
predefined notification
period of time
has elapsed,
than
at theusage.
convenience of the systems administrator.

In contrast to conventional access control approaches which


employ static information system accounts and predefined sets
of
user privileges,
access controlroles
approaches
Privileged
roles aredynamic
organization-defined
assigned(e.g.,
to
service-oriented
architectures)
rely
on
run
time
access
control
individuals that allow those individuals to perform
certain
decisions
facilitated
by dynamic
privilegeusers
management.
security-relevant
functions
that ordinary
are not While
user
identities
may
remain
relatively
constant
over
time,
authorized to perform. These privileged roles include,
for user
privileges
maymanagement,
change more account
frequently
based on ongoing
example, key
management,
network
mission/business
requirements
and
operational
needsand
of web
and system administration, database administration,
organizations.
Dynamic
privilege
management
can
include,
for
administration.
example, the immediate revocation of privileges from users, as
opposed to requiring that users terminate and restart their
sessions to reflect any changes in privileges. Dynamic privilege
Dynamic
approaches
creating
information
system
accounts
management
can alsofor
refer
to mechanisms
that
change
the
(e.g.,
as
implemented
within
service-oriented
architectures)
privileges of users based on dynamic rules as opposed to
rely
on establishing
(identities)
run time for entities
editing
specific user accounts
profiles. This
type of at
privilege
that
were
previously
unknown.
Organizations
plan
for dynamic
management includes, for example, automatic
adjustments
of
creation
system accounts
by establishing
privilegesofifinformation
users are operating
out of their
normal work trust
times,
relationships
andsystems
mechanisms
with the
appropriate
authorities
or if information
are under
duress
or in emergency
to
validate
related
authorizations
and
privileges.
maintenance situations. This control enhancement also
Organizations
can describe
includes the ancillary
effectsthe
of specific
privilegeconditions
changes, or
for example,
circumstances
under which
information
accounts can
the potential changes
to encryption
keyssystem
used for
be
used,usage
for example,
byfor
restricting
usage
to certain
of
Atypical
includes,
example,
accessing
information
communications.
Dynamic
privilege
management
candays
support
the
week,
time
of
day,
or
specific
durations
of
time.
systems
at certain
times of the
day and
from locations that are
requirements
for information
system
resiliency.
not consistent with the normal usage patterns of individuals
working in organizations.

Users posing a significant risk to organizations include


individuals for whom reliable evidence or intelligence indicates
either the intention to use authorized access to information
systems to cause harm or through whom adversaries will cause
harm. Harm includes potential adverse impacts to
organizational operations and assets, individuals, other
organizations, or the Nation. Close coordination between
authorizing officials, information system administrators, and

Access control policies (e.g., identity-based policies, role-based


policies, control matrices, cryptography) control access
between active entities or subjects (i.e., users or processes
acting on behalf of users) and passive entities or objects (e.g.,
devices, files, records, domains) in information systems. In
Dual
authorization
mechanisms
approval
of two
addition
to enforcing
authorized require
access the
at the
information
authorized
individuals
in
order
to
execute.
Organizations
dohost
not
system level and recognizing that information systems can
require
dual
authorization
mechanisms
when
immediate
Mandatory
access control
as defined
in thisofcontrol
many applications
and services
in support
organizational
responses
are
necessary
to
ensure
public
and
environmental
enhancement
is synonymous
with nondiscretionary
access
missions and business
operations,
access enforcement
safety.
Dual
authorization
may
also
be
known
as
two-person
control,
and iscan
notalso
constrained
only at
to the
certain
historical
uses
mechanisms
be employed
application
and
control.
(e.g.,
implementations
the Bell-LaPadula
Model). The
service
level to provideusing
increased
information security.
above class of mandatory access control policies constrains
what actions subjects can take with information obtained from
data objects for which they have already been granted access,
thus preventing the subjects from passing the information to
unauthorized subjects and objects. This class of mandatory
access control policies also constrains what actions subjects
can take with respect to the propagation of access control
privileges; that is, a subject with a privilege cannot pass that
privilege to other subjects. The policy is uniformly enforced
over all subjects and objects to which the information system
has control. Otherwise, the access control policy can be
circumvented. This enforcement typically is provided via an
implementation that meets the reference monitor concept (see
AC-25). The policy is bounded by the information system
boundary (i.e., once the information is passed outside of the
control of the system, additional means may be required to
ensure that the constraints on the information remain in
When
access control
policies
areare
implemented,
effect).discretionary
The trusted subjects
described
above
granted
subjects
not constrained
regard
what
actions(see
they
privilegesare
consistent
with thewith
concept
of to
least
privilege
can
take
with information
which
they
already
been
AC-6).
Trusted
subjects arefor
only
given
thehave
minimum
privileges
granted
access.
Thus,policy
subjects
that have
granted access
relative to
the above
necessary
for been
satisfying
to
information are
not preventedneeds.
from passing
(i.e., is
the
organizational
mission/business
The control
most
subjects
have
thethere
discretion
to policy
pass) the
information
to other
applicable
when
is some
mandate
(e.g., law,
subjects
objects.
This control
enhancement
can operatea in
ExecutiveorOrder,
directive,
or regulation)
that establishes
conjunction
with
AC-3
(3).
A
subject
that
is
constrained
in its
policy regarding access to sensitive/classified information
and
operation
byofpolicies
governedsystem
by AC-3are
(3)not
is still
able to
some users
the information
authorized
operate
the less rigorous constraints
this control
access tounder
all sensitive/classified
informationof
resident
in the
enhancement.
Thus, This
while
AC-3 (3)
information system.
control
canimposes
operateconstraints
in conjunction
preventing
a subject
from
passing
information
to operation
another by
with AC-3 (4).
A subject
that
is constrained
in its
subject
operating
at
a
different
sensitivity
level,
AC-3
policies governed by this control is still able to operate(4)
under
permits
subject
to pass the
information
any subject
at
the less the
rigorous
constraints
of AC-3
(4), butto
policies
governed
Security-relevant
information
any
within
the
same
sensitivity
level. Theispolicy
is bounded
by the
by this
control
take
precedence
overinformation
the
less rigorous
information
systems
that
can
potentially
impact
the is
operation
system
boundary.
Once the
information
passed
constraints of
AC-3 (4).
For
example,
while
a mandatory
access
of
security
functions
or
the
provision
of
security
services
in a
outside
of
the
control
of
the
information
system,
additional
control policy imposes a constraint preventing a subject from
manner
that
could
result
in
failure
to
enforce
system
security
means
be required
to ensure
that the
constraints
remain
passingmay
information
to another
subject
operating
at a different
policies
maintain
the
of
code
and
data.
Securityin
effect.orWhile
the
older,
more traditional
definitions
of
sensitivity
label,
AC-3
(4)isolation
permits
the
subject
to pass
the
Role-based
access
control
(RBAC)
is identity-based
an access
control
policy
relevant
information
includes,
for
example,
filtering
rules
discretionary
control
require
access
information
toaccess
any subject
with
the
same sensitivity
label for
as
that
restricts
information
system
access
to
authorized
users.
routers/firewalls,
cryptographic
key
management
information,
control,
that
limitation
is
not
required
for
this
use
of
the subject.
Organizations
can create
rolesbased
basedon
onand
jobtypes
functions
Revocation
ofaccess
access
rulesspecific
may
differ
the
of
configuration
parameters
for
security
services,
access
discretionary
control.
and
the
authorizations
(i.e.,
privileges)
to
perform
needed
access
For example,
if a subject
user
or process)
control revoked.
lists. Secure,
non-operable
system(i.e.,
states
include
the
operations
on
organizational
information
systems
associated
is
removed
from
a group, access
may
not
beperforming
revoked
until the
times
in which
information
systems
are
not
with
the
When
users
are
next
timeorganization-defined
the object (e.g.,processing
file)roles.
is opened
until
theassigned
next
timeto
mission/business-related
(e.g.,or
the
system
is off-line
the
organizational
roles,
they
inherit
the
authorizations
or
the
subject attempts
a new accessboot-up,
to the object.
Revocation
for maintenance,
troubleshooting,
shut down).
privileges
defined for
those roles.
RBAC
privilege
based on changes
to security
labels
maysimplifies
take effect
administration
for organizations
becausealternative
privileges approaches
are not
immediately. Organizations
can provide
assigned
directly
to
every
user
(which
can
be
a
significant
on how to make revocations immediate if information systems

Information systems can only protect organizational


information within the confines of established system
boundaries. Additional security safeguards may be needed to
ensure that such information is adequately protected once it is
passed beyond the established information system boundaries.
Examples of information leaving the system boundary include
transmitting information to an external information system or
printing the information on one of its printers. In cases where
the information system is unable to make a determination of
the
adequacy
of the
protections
provided
by entities outside
its
Information
flow
control
regulates
where information
is allowed
boundary,
as
a
mitigating
control,
organizations
determine
to travel within an information system and between
procedurally
whether(as
theopposed
externalto
information
systems
are
information
systems
who is allowed
tosecurity
access
Information
flow
enforcement
mechanisms
compare
providing
adequate
The
means
used to
determine the
the
information)
andsecurity.
without
explicit
regard
subsequent
attributes
associated
withprovided
information
(data to
content
and data
adequacy
of
the
security
by
external
information
accesses
to
that
information. Flowobjects,
control and
restrictions
include,
structure)
and
source/destination
respond
Within
information
protected
processing
domains
are
systems
include,
forsystems,
example,
conducting
inspections
or being
for
example,
keeping
export-controlled
information
from
appropriately
(e.g.,
block,
quarantine,
alert
administrator)
processing
spaces
that
have
controlled
interactions
with
other
periodic
testing,
establishing
agreements
between
the
transmitted
in the clearencounter
to the Internet,
blocking
outside
traffic
when
the mechanisms
information
flows
not flows
processing
spaces,
thus
enabling
control
ofinformation
information
organization
and
its
counterpart
organizations,
or some
other
Organizational
policies
regarding
dynamic
flow
that
claims
to
be
from
within
the
organization,
restricting
web
explicitly
allowed
by used
information
flow
policies.
For
example,
an
between
these
spaces
and
to/from
data/information
objects.
A
process.
The
means
by
external
entities
to
protect
the
control
include,
for
example,
allowing
or
disallowing
requests
to
the
Internet
that
are
not
from
the
internal
web
information
object
labeled
Secret
would
be
allowed
to
flow
to
protected
processing
domain
can
for
information
received
need
not
be be
theprovided,
same
as those
used bybya
information
flows
oninformation
changing
conditions
orexample,
proxy
server,
and based
limiting
transfers
between
destination
object
labeled
Secret,
but
an
information
object
implementing
domain
and
type
enforcement.
In
domain
and
the
organization,
butconsiderations.
the
means
employed
are
sufficient
to
mission/operational
Changing
conditions
organizations
based
on
data
structures
and
content.
labeled
Top
Secret
would
not
be
allowed
to
flow
to
a
destination
type
enforcement,
information
system
processes
are
assigned
provide
consistent
adjudication
of
the
security
policy
to
protect
include,
for example,
changes
in
organizational
risk
tolerance
Transferring
information
between
information
systems
object
labeled
Secret.
Security
attributes
can
also
include,
for
Embedding
data
types
within
other
data
types
may
result
in
to
domains;
information
is
identified
by
types;
and
information
the
information.
This
control
enhancement
requires
information
due
to
changes
in
the
immediacy
of
mission/business
needs,
representing
different
security
domains
with
different
security
example,
source
and
destination
addresses
employed
in traffic
reduced
flow
control
effectiveness.
Data
type
embedding
flows
areintroduces
controlled
based
allowed
information
accesses
systems
to
employ
technical
or
procedural
means
to potentially
validate
changes
in
the
threat
environment,
and
detection
of
policies
risk
thaton
such
transfers
violate
one
or more
filter
firewalls.
Flow
enforcement
using
explicit
security
includes,
for
example,
executable
files
as objects
(determined
by domain
and
type),
signaling
among
the
information
prior
toinserting
releasing
itallowed
to external
systems.
For of
Metadata
is
information
used
to
describe
the
characteristics
harmful
or
adverse
events.
domain
security
policies.
In
such
situations,
information
attributes
can
be
used,process
for example,
toreferences
control
theor
release
of
within
word
processing
files,
inserting
descriptive
domains,
and
allowed
transitions
to
other
domains.
example,
if
the
information
system
passes
information
to
data.
Metadata
can
include
structural
metadata describing
data
owners/stewards
provide
guidance
at designated
policy
certain
types
of
information.
information
into
a media
file,
and
compressed
or archived
data
another
system
controlled
by interconnected
another
organization,
technical
structures
(e.g.,
data
format,
syntax,
and
semantics)
or
enforcement
points
between
systems.
types
that
include
multiple
data(e.g.,
types.
means
are may
employed
to
validate embedded
that
the
security
attributes
descriptive
metadata
describing
data
contents
age,
Organizations
consider
mandating
specific
architectural
Limitations
on
data
type
embedding
consider
the
levels
offor
associated
with
the
exported
information
are
appropriate
location,
number).
Enforcing
allowed
information
solutions telephone
when required
to enforce
specific
security
policies.
Organization-defined
security
policy
filters
can
address
data
embedding
and
prohibit
levels
of
data
type
embedding
that
the
receiving
system.
Alternatively,
if
the
information
system
flows
based on
metadata
simpler
and more
effectiveare
Enforcement
includes,
for enables
example:
(i) prohibiting
information
structures
and
content.
For
example,
security
policy
filters
beyond
the
capability
of
the
inspection
tools.
passes
information
to
a
printer
in
organization-controlled
flow
control.
Organizations
consider
the trustworthiness
of for
transfers
between
interconnected
systems
(i.e., allowing
data
structures
can
check
for
maximum
file
lengths,
maximum
space,
means
can
be
employed
toknowledge
ensure
only
Organizations
define
security
policy
filters
for
all
situations
metadata
with(ii)
regard
to data
accuracy
(i.e.,
that
access procedural
only);
employing
hardware
mechanisms
to that
enforce
field
sizes,
and
data/file
types
(for
structured
and
unstructured
appropriately
authorized
individuals
gain
access
to
the
printer.
where
automated
flow
control
are possible.
Whendata
a
the
metadata
values
are
correct
with
respect
to the
data),
one-way
information
flows;
anddecisions
(iii)
implementing
trustworthy
data).
Security
policy
filters
data
content
can
check
for
This
control
enhancement
isfor
most
applicable
when
there
isa
fully
automated
flow
control
decision
is
not
possible,
then
integrity
(i.e.,
protecting
against
unauthorized
changes
to
regrading
mechanisms
to
reassign
security
attributes
and
For
example,
as
allowed
by the information
system
specific
words
(e.g.,
dirty/clean
word
filters),
some
policy
mandate
(e.g.,
law,
Executive
Order,
directive,
or
human
review
may
employed
in
lieu
of,
orenumerated
as the
ainformation
complement
metadata
tags),
andbe
the
binding
of
metadata
to
datafilters
security
labels.
Organizations
commonly
employ
authorization,
administrators
can
enable
security
policy
values
or
data
value
ranges,
and
hidden
content.
Structured
regulation)
that
establishes
policy
regarding
access
to
the
to,
automated
security
policy
filtering.
Human
reviews
may
payload
(i.e.,policies
ensuring
sufficiently
strong
binding
techniques
flow
control
and
enforcement
mechanisms
to control
to
accommodate
approved
data
types.
For
example,
to
reflect
changes
in
security
policies,
data
permits
the
interpretation
of
data
content
by
applications.
information,
and
that
policy
applies
beyond
the
realm
of
also
be
employed
as
deemed
necessary
by
organizations.
with
appropriate
levels between
of assurance).
the flow
of information
designated sources and a
administrators
can
change
the
list
of digital
dirty
words
that
Unstructured
data
typically
refers
to
information
without
particular
information
system
or
organization.
destinations (e.g., networks, individuals,
and
devices)
within
security
policy
mechanisms
check
in
accordance
with
the
a
particular
data
structure
or
with
a
data
structure
that
does
Data
type identifiers
include,
for example,
filenames,
file types,
information
systems and
between
interconnected
systems.
definitions
by
organizations.
not
facilitate
the
development
of rule
sets toof
address
the
file
and
internal
file
Flowsignatures/tokens,
controlprovided
is
based
on
themultiple
characteristics
the information
particular
of path.
the information
conveyed
by
the
data
signatures/tokens.
Information
systems
may
allow
transfer
of
and/orenforcement
thesensitivity
information
Enforcement
occurs,
for
example,
Policy
mechanisms
apply
filtering,
inspection,
or
the
associated
flow
enforcement
decisions.
Unstructured
data
only
if
compliant
with
data
type
format
specifications.
in
boundary
protection
devices
(e.g., gateways,subcomponents
routers,
and/or
sanitization
rules
to objects
the policy-relevant
data
consists
of: (i)tunnels,
bitmap
that
are
inherently
guards,
encrypted
firewalls)
that
employ
rule non
sets or
of
information
facilitate
flow
enforcement
prior
Data
structure to
and
content
restrictions
reduce
theto
range
of
language-based
(i.e.,
image,
video,
or
audio
files);
and (ii)
establish
configuration
settings
that
restrict
information
system
transferring
such
information
to
different
security
potential
malicious
and/or
unsanctioned
content
indomains.
crosstextual
objects
that
are
based
on
written
or
printed
languages
services,
providefiles
a packet-filtering
capability
based
on header
Parsing
transfer
facilitates
policy
decisions
on
source,
domain
transactions.
Security
policy
filters
that documents,
restrict
data
(e.g.,
commercial
off-the-shelf
word
processing
Detection
of
unsanctioned
information
includes,
for
example,
information, certificates,
or message-filtering
capability
based onand
message
destination,
classification,
attachments,
other
structures
include,
for
example,
restricting
file
sizes
and
field
spreadsheets,
or emails).toOrganizations
can
implement
more
checking
all
information
be
transferred
for
malicious
code
content
(e.g.,
implementing
key
word
searches
or
using
security-related
component
differentiators.
lengths.
content
policy
filters
include,
for example:
(i)
than
oneData
security
policy
filter
to meet
information
flow control
and
dirty
words.
document
characteristics).
Organizations
also consider
the
encoding
formats
for character
sets
(e.g.,
Universal
Character
objectives
(e.g.,
employing
clean
word
lists
in
conjunction
trustworthiness of filtering/inspection mechanisms (i.e., with
Set
Transformation
American
Standard
Code for
dirty
word firmware,
lists mayFormats,
help
to reduce
false
positives).
hardware,
and software
components)
that are critical
Attribution
a critical component
of a security
concept
of
InformationisInterchange);
(ii) restricting
character
data fields
to
to information flow enforcement. Control enhancements 3
operations.
ability to identify
source(iii)
and
destination
points
only containThe
alpha-numeric
characters;
prohibiting
special
through 22 primarily address cross-domain solution needs
for
information
in information
allows the
characters;
andflowing
(iv) validating
schemasystems,
structures.
which focus on more advanced filtering techniques, in-depth
forensic reconstruction of events when required, and
analysis, and stronger flow enforcement mechanisms
encourages policy compliance by attributing policy violations to
implemented in cross-domain products, for example, highspecific organizations/individuals. Successful domain
assurance guards. Such capabilities are generally not available
authentication requires that information system labels
in commercial off-the-shelf information technology products.
distinguish among systems, organizations, and individuals

Binding techniques implemented by information systems affect


the strength of security attribute binding to information.
Binding
strength
and the assurance
associated
with
binding
This control
enhancement
requires the
validation
of metadata
techniques
play
an important
part inapplies.
the trustSome
organizations
and the data
to which
the metadata
have
in
the
information
flow
enforcement
process.
Thepayloads
binding
organizations
distinguish
between
metadata
and
data
Organizations
define
approved
solutions
and
configurations
in
techniques
affect
the
number
and
degree
of
additional
reviews
(i.e.,
only the data
to which
the metadata
is bound).
Other
cross-domain
policies
and
guidance
in
accordance
with
the
required
by organizations.
organizations
do not flows
makeacross
such distinctions,
considering
types
of information
classification
boundaries.
The
Enforcing
the
separation
ofwhich
information
flows by
type can
metadata
and
the
data
to
the
metadata
applies
as
part
Unified
Cross
Domain
(UCDMO)
provides a
enhance
protection
byManagement
ensuring(including
thatOffice
information
is not
of
the payload.
All
information
metadata
and the
baseline
listing
of
approved
cross-domain
solutions.
commingled
in transit
and by enabling
flow
control by
The
for example,
a desktop
for
datainformation
to whichwhile
thesystem,
metadata
applies)
isprovides
subject
to
filtering
and
transmission
paths
perhaps
not
otherwise
achievable.
Types of
users
to access each connected security domain without
inspection.
separable
information
include,
for example,
and
providing
any
mechanisms
to allow
transfer inbound
of
Separation
of duties
addresses
theservice
potential
forinformation
abuse
of
outbound
communications
traffic,
requests
and
between
the
different
security
domains.
authorized
and helps
to reduce
the risk
of
responses, privileges
and information
of differing
security
categories.
malevolent activity without collusion. Separation of duties
includes, for example: (i) dividing mission functions and
information system support functions among different
individuals and/or roles; (ii) conducting information system
support functions with different individuals (e.g., system
management, programming, configuration management,
quality assurance and testing, and network security); and (iii)
ensuring
security
personnel
administering
accessduties
control
Organizations
employ
least privilege
for specific
and
functions
do
not
also
administer
audit
functions.
information systems. The principle of least privilege is also
applied
information
system
processes,establishing
ensuring that
the
Securityto
functions
include,
for example,
system
processes
operate
at
privilege
levels
no
higher
than
necessary
accounts, configuring access authorizations (i.e., permissions,
to
accomplish
required
organizational
missions/business
privileges),
setting
events
to be audited,
and
setting
intrusion
This
control
enhancement
limits
exposure
when
from
functions.
Organizations
consider
the
creation
ofoperating
additional
detection
parameters.
Security-relevant
information
includes,
within
privileged
accounts
or roles.
The inclusion
ofas
roles
processes,
roles,
and
information
system
accounts
for
example,
filtering
rules
for
routers/firewalls,
cryptographic
addresses
situations
where
organizations
implement
access
Network
access
is information,
any least
access
across
aOrganizations
network
connection
necessary,
to achieve
privilege.
also
apply
key
management
configuration
parameters
forina
control
policies
such
as
role-based
access
control
and
where
lieu
of
local
access
(i.e.,
user
being
physically
present
at
the
least
privilege
to
the
development,
implementation,
and
security
services,
and access
control
lists.of
Explicitly
authorized
change
of
role
provides
the information
same
degree
assurance
in the
device).
operation
of
organizational
systems.
Providing
processing
finer-grained
personnel
include,
for
example,domains
security
administrators,
change ofseparate
access authorizations
for bothfor
the
user and allsystem
allocation
of
user
privileges
includes,
for
using
and
network
administrators,
system
security
officers,
systemby
processes
acting
on
behalf of
the user
as example:
would
be (i)
provided
virtualization
techniques
to
allow
additional
privileges
maintenance
personnel,
system
programmers,
and
other
Privileged
accounts,a including
user accounts,account.
arewithin a
a change between
privilegedsuper
and non-privileged
virtual
machine
while
restricting
privileges
to
other
virtual
privileged
users.
typically described as system administrator for various types of
machines
oroff-the-shelf
to the underlying
actual
machine;
(ii) employing
commercial
operating
systems.
Restricting
hardware
and/or
software
domain
separation
mechanisms;
and
privileged accounts to specific personnel or roles prevents day(iii)
implementing
separate
physical
domains.
to-day
users from having
access
to privileged
The
need
for
certain
assigned
user
privileges
may change
over
information/functions. Organizations may differentiate
in the
time
reflecting
changes
in
organizational
missions/business
application of this control enhancement between allowed
function,
of operation,
technologies,
or threat.
privilegesenvironments
for local accounts
and for domain
accounts
provided
Periodic
review
of
assigned
user
privileges
is
necessary
to
organizations retain the ability to control information system
determine
if the
for assigning
such
privileges
remains
configurations
forrationale
key security
parameters
and
as otherwise
valid.
If
the
need
cannot
be
revalidated,
organizations
take
necessary to sufficiently mitigate risk.
appropriate corrective actions.
In certain situations, software applications/programs need to
execute with elevated privileges to perform required functions.
However,
if the privileges
required
forintentionally
execution are
Misuse of privileged
functions,
either
or at a higher
level
than
the
privileges
assigned
to
organizational
users
unintentionally by authorized users, or by unauthorized
invoking
such
applications/programs,
those
users
are
indirectly
external
entities
thatinclude,
have compromised
information
system
Privileged
functions
for example,
establishing
provided
with
greater
privileges
than
assigned
by
accounts,
is system
a serious
and ongoing
concern
and can
have
information
accounts,
performing
system
integrity
organizations.
significant
adverse impacts
on organizations.
Auditing the use
checks, or administering
cryptographic
key management
of
privileged
functions
is
one
way
to
detect
such
misuse,
activities. Non-privileged users are individuals that
do notand in
doing
so,
help
mitigate
the
risk
from
insider
threats
and the
possess appropriate authorizations. Circumventing intrusion
advanced
persistent
threat
(APT).
detection and prevention mechanisms or malicious code
protection mechanisms are examples of privileged functions
that require protection from non-privileged users.

This control applies regardless of whether the logon occurs via


a local or network connection. Due to the potential for denial of
service, automatic lockouts initiated by information systems
are usually temporary and automatically release after a
predetermined time period established by organizations. If a
delay algorithm is selected, organizations may choose to
employ different algorithms for different information system
components based on the capabilities of those components.
Responses to unsuccessful logon attempts may be
implemented
at both the operating
system
and the
application
This control enhancement
applies only
to mobile
devices
for
levels.
which a logon occurs (e.g., personal digital assistants, smart
phones,
tablets).
The logon
to implemented
the mobile device,
to any
System use
notifications
canisbe
using not
messages
one
account
on
the
device.
Therefore,
successful
logons
or warning banners displayed before individuals log in toto any
accounts
on systems.
mobile devices
the unsuccessful
logononly
count
information
Systemreset
use notifications
are used
for
to
zero.
Organizations
define
information
to
be
purged/wiped
access via logon interfaces with human users and are not
carefully
in order
to avoid
purging/wiping
which may
required when
such
humanover
interfaces
do not exist.
result
in
devices
becoming
unusable.
Purging/wiping
may be
Organizations consider system use notification
unnecessary
if the information
the device
is protected
messages/banners
displayed inon
multiple
languages
based with
on
sufficiently
strong
encryption
mechanisms.
specific organizational needs and the demographics of
information system users. Organizations also consult with the
Office of the General Counsel for legal review and approval of
warning banner content.

This control is applicable to logons to information systems via


human user interfaces and logons to systems that occur in
other types of architectures (e.g., service-oriented
architectures).

This control enhancement permits organizations to specify


additional information to be provided to users upon logon
including,
for example,
thethe
location
of last
logon. of
User
location
Organizations
may define
maximum
number
concurrent
is
defined
as
that
information
which
can
be
determined
by
sessions for information system accounts globally, by account
information
systems, user,
for example,
IP addresses
from which
type (e.g., privileged
non-privileged
user, domain,
network
logons
occurred,
device
identifiers,
or
notifications
of
specific application), by account, or a combination. For
local
logons.
example, organizations may limit the number of concurrent
sessions for system administrators or individuals working in
particularly sensitive domains or mission-critical applications.
This control addresses concurrent sessions for information

Session locks are temporary actions taken when users stop


work and move away from the immediate vicinity of
information systems but do not want to log out because of the
temporary nature of their absences. Session locks are
implemented where session activities can be determined. This
is typically at the operating system level, but can also be at the
application level. Session locks are not an acceptable
Publicly
viewable
images
include static
or dynamic
images,
substitute
for logging
out can
of information
systems,
for example,
for
example, patterns
with
screen
photographic
if organizations
requireused
users
to log
out savers,
at the end
of workdays.
images,
solid
colors,
clock,
battery
life
indicator,
or
a blank
This control addresses the termination of user-initiated
logical
screen,
with
the
additional
caveat
that
none
of
the
images
sessions in contrast to SC-10 which addresses the termination
convey
sensitive
information.are associated with
of
network
connections
Information
resources tothat
which users gain access via
communications
sessions
network
disconnect).
A logical
authentication include, for(i.e.,
example,
local
workstations,
session
(forand
local,
network, and remote
access) is initiated
databases,
password-protected
websites/web-based
whenever
a
user
(or
process
acting
on
behalf
of afor
user)
services. Logout messages for web page access,
example,
accesses
an
organizational
information
system.
Such
user
can be displayed after authenticated sessions have been
sessions
can
be
terminated
(and
thus
terminate
user
access)
terminated. However, for some types of interactive sessions
without
terminating
network
sessions.
Session
termination
including,
for example,
file transfer
protocol
(FTP)
sessions,
terminates
all
processes
associated
with
a
users
information systems typically send logout messages logical
as final
session
except
processessessions.
that are specifically created by
messages
priorthose
to terminating
the user (i.e., session owner) to continue after the session is
This
control addresses
whichrequiring
organizations
terminated.
Conditionssituations
or trigger in
events
automatic
determine
that no identification
is required in
session termination
can include, or
forauthentication
example, organizationorganizational
systems.
Organizations
may
a
defined periodsinformation
of user inactivity,
targeted
responses
toallow
certain
limited
number
of
user
actions
without
identification
or
types of incidents, time-of-day restrictions on information
authentication
including, for example, when individuals access
system use.
public websites or other publicly accessible federal information
systems, when individuals use mobile phones to receive calls,
or when facsimiles are received. Organizations also identify
actions that normally require identification or authentication
but may under certain circumstances (e.g., emergencies), allow
identification or authentication mechanisms to be bypassed.
Such bypasses may occur, for example, via a software-readable
Information
is represented
internally
within
information
physical switch
that commands
bypass
of the
logon
systems
using
abstractions
known
as
data
structures.
Internal
functionality and is protected from accidental or unmonitored
data
structures
can
represent
different
types
of
entities,
both
use. This control does not apply to situations where
active
and
passive.
Active
entities,
also
known
as
subjects,
identification and authentication have already occurred andare
are
typically
associated
with to
individuals,
or processesand
not repeated,
but rather
situationsdevices,
where identification
acting
on behalf
of individuals.
PassiveOrganizations
entities, also known
authentication
have
not yet occurred.
may as
objects,
are
typically
associated
with
data
structures
such ason
decide that there are no user actions that can be performed
records,
buffers,
tables,
files,
inter-process
pipes,
and
organizational information systems without identification and
communications
ports.
Security
attributes,
a form ofstatements
metadata,
authentication and
thus,
the values
for assignment
are
abstractions
representing
the
basic
properties
or
can be none.
characteristics of active and passive entities with respect to
safeguarding information. These attributes may be associated
Dynamic
association
of security
attributes
is the
appropriate
with active
entities (i.e.,
subjects)
that have
potential to
whenever
the
security
characteristics
of
information
changes
send or receive information, to cause information to flow
over
time.
Security
attributes
may
change,
for
example,
The
content
or assigned
values
security attributes
candue to
among
objects,
or to change
theofinformation
system state.
information
aggregation
issues
(i.e.,
the
security
characteristics
directly
affect themay
ability
individuals
towith
access
organizational
These attributes
alsoofbe
associated
passive
entities
of
individual
information
elements
are
different
from
the
information.
Therefore,
it
is
important
for
information
systems
(i.e.,
objects)
that
contain
or
receive
information.
The
Maintaining
the association
and
integrity
of access
security attributes
combined
elements),
changes
increate
individual
to
be
able
to
limit
the
ability
to
or
modify
association
of
security
attributes
to
subjects
and security
objects
to
subjects and(i.e.,
objects
with sufficient
assurance
helps
tois
authorizations
privileges),
and
changes
in of
the
security
attributes
to
authorized
individuals.
referred
to
as
binding
and
is
typically
inclusive
setting
ensure
that
the attribute associations can be used as the the
basis
category
of information.
attribute
value
and the
attribute
type. Security
attributes
when
of automated policy
actions.
Automated
policy actions
include,
bound
to
data/information,
enables
the
enforcement
of
for example, access control decisions or information flow
information
security policies for access control and information
control
decisions.
flow control, either through organizational processes or
information system functions or mechanisms. The content or

The support provided by information systems can vary to


include: (i) prompting users to select specific security attributes
to
be associated
with
specific
information
objects;pages,
(ii)
Information
system
outputs
include,
for example,
employing
for categorizing
information
screens, or automated
equivalent.mechanisms
Information system
output devices
with
appropriate
attributes
based
on
defined
policies;
or (iii)
include,
for example,
printers
and video
displays
on(as
computer
This
control
enhancement
requires
individual
users
opposed
ensuring
that
the
combination
of
selected
security
attributes
workstations,
notebook
computers,
andassociations
personal digital
to
the
information
system)
to
maintain
of
security
selected
is valid. Organizations consider the creation, deletion,
assistants.
attributes
subjects
and
objects.across
In
towith
enforce
security
policies
or order
modification
of security
attributes
when multiple
defining auditable
components
in distributed information systems (e.g.,
events.
distributed
database
management
systems,
cloud-based
The association (i.e., binding)
of security
attributes
to
systems,
and
service-oriented
architectures),
organizations
information within information systems is of significant
provide
a consistent
interpretation
of security
attributes
importance
with regard
to conducting
automated
access that
Validated
re-grading
mechanisms
areflow
employed
by
are
used
in
access
enforcement
and
enforcement
enforcement
and
flow enforcement
actions.
association
organizations
to provide
the
requisite
levels The
of assurance
forof
decisions.
Organizations
establish
agreements
and
processes
such
security
attributes
can be accomplished
with
security
attribute
reassignment
activities.
The
validation
The
content
or all
assigned
values
of
security
attributes
can is
to
ensure
that
distributed
information
system
components
technologies/techniques
providing
different
levels
ofare
assurance.
facilitated
by
ensuring
that
re-grading
mechanisms
singlein
directly
affect
the ability
of
individuals
to access
organizational
implement
security
attributes
withcan
consistent
interpretations
For
example,
information
systems
cryptographically
bind
purpose
and
of
limited
function.
Since
security
attribute
information.
Therefore,
it to
is organizational
important
for
information
systems
automated
access/flow
enforcement
actions.
Remote
access
is
access
information
systems
security
attributes
to
information
using
digital
signatures
with
reassignments
canthe
affect
security
policy
enforcement
actions
to
be
able
to
limit
ability
to
create
or
modify
security
by
users
(or processes
acting keys
on
behalf
of users)
the
supporting
cryptographic
protected
by hardware
(e.g.,
access/flow
enforcement
decisions),
using
trustworthy reattributes
to authorized
individuals
only. roots
communicating
through
external
networks
(e.g.,
the
devices
(sometimes
known
as
hardware
of trust).
grading mechanisms is necessary to ensure that
suchInternet).
Remote
access
methods
include,
for
example,
dial-up,
mechanisms perform in a consistent/correct mode of operation.
broadband, and wireless. Organizations often employ
encrypted virtual private networks (VPNs) to enhance
confidentiality and integrity over remote connections. The use
Automated
of remote
sessions
of encryptedmonitoring
VPNs doesand
notcontrol
make the
access access
non-remote;
allows
organizations
to detect
cyber
attacks and
also ensure
however,
the use of VPNs,
when
adequately
provisioned
with
ongoing
compliance
with
remote
access
policies
by
auditing
appropriate
security
controls
(e.g.,
employing
appropriate
The encryption strength of mechanism is selected based on the
connection
activities offor
remote
users on aand
variety
of
encryption
techniques
confidentiality
integrity
security categorization
of
the
information.
information
system
components
servers,
protection) may
provide
sufficient(e.g.,
assurance
to workstations,
the
Limiting
the
number
of
access
control
points
for
remote as
notebook
computers,
smart
phones,
and
tablets).
organization
that it can
effectively
treat
such
connections
accesses
reduces
the
attack
surface
for
organizations.
internal networks. Still, VPN connections traverse external
Organizations
the Trusted
Internet
Connections
networks, and consider
the encrypted
VPN does
not enhance
the (TIC)
initiative
requirements
for
external
network
connections.
availability of remote connections. Also, VPNs with encrypted
tunnels can affect the organizational capability to adequately
monitor network communications traffic for malicious code.
Remote access controls apply to information systems other
than public web servers or systems designed for public access.
This control addresses authorization prior to allowing remote
access without specifying the formats for such authorization.
While organizations may use interconnection security
agreements to authorize remote access connections, such
agreements are not required by this control. Enforcing access
restrictions for remote connections is addressed in AC-3.

This control enhancement requires organizations to have the


capability to rapidly disconnect current users remotely
accessing
the information
system
and/or disable
further packet
remote
Wireless technologies
include,
for example,
microwave,
access.
The
speed
of
disconnect
or
disablement
varies
based
radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks
on
criticality of protocols
missions/business
functions
andwhich
the need to
usethe
authentication
(e.g., EAP/TLS,
PEAP),
eliminate
immediate
or
future
remote
access
to
organizational
provide credential protection and mutual authentication.
information systems.

Organizational authorizations to allow selected users to


configure wireless networking capability are enforced in part,
by
the access
enforcement
mechanisms
employed
Actions
that may
be taken by
organizations
to limit within
organizational
information
systems.
unauthorized use of wireless communications outside of
organization-controlled
boundaries
include,
example:
(i)form
A mobile device is a computing
device
that: for
(i) has
a small
reducing
the
power
of
wireless
transmissions
so
that
the
factor such that it can easily be carried by a single individual;
transmissions
less likely
to emit
a signal that
can be used
(ii) is designedare
to operate
without
a physical
connection
(e.g.,
by
adversaries
outside
of
the
physical
perimeters
of
wirelessly transmit or receive information); (iii) possesses
local,
organizations;
suchand
as TEMPEST
to a
non-removable(ii)
or employing
removable measures
data storage;
(iv) includes
control
wirelesspower
emanations;
(iii)devices
using directional/beam
self-contained
source. and
Mobile
may also include
forming
antennas
that
reduce
the
likelihood
that
unintended
voice communication capabilities, on-board sensors
that allow
receivers
will
be
able
to
intercept
signals.
Prior
to
taking such
the device to capture information, and/or built-in features
for
actions,
organizations
can
conduct
periodic
wireless
surveys to
synchronizing
local data
with
remote
locations.
Examples
understand
the
radio frequency
of organizational
include smart
phones,
E-readers,profile
and tablets.
Mobile devices
information
systems
as
well
as
other
systems
are typically associated with a single individualthat
andmay
the be
device
operating
in
the
area.
is usually in close proximity to the individual; however, the
degree of proximity can vary depending upon on the form
factor and size of the device. The processing, storage, and
transmission capability of the mobile device may be
comparable to or merely a subset of desktop systems,
depending upon the nature and intended purpose of the
device. Due to the large variety of mobile devices with different
technical characteristics and capabilities, organizational
restrictions may vary for the different classes/types of such
devices. Usage restrictions and specific implementation
guidance for mobile devices include, for example, configuration
management, device identification and authentication,
implementation of mandatory protective software (e.g.,
malicious code detection, firewall), scanning devices for
malicious code, updating virus protection software, scanning
for critical software updates and patches, conducting primary
operating system (and possibly other resident software)
integrity checks, and disabling unnecessary hardware (e.g.,
wireless, infrared). Organizations are cautioned that the need
to provide adequate security for mobile devices goes beyond
the requirements in this control. Many safeguards and
countermeasures for mobile devices are reflected in other
Container-based encryption provides a more fine-grained
security controls in the catalog allocated in the initial control
approach to the encryption of data/information on mobile
baselines as starting points for the development of security
devices, including for example, encrypting selected data
plans and overlays using the tailoring process. There may also
structures such as files, records, or fields.
be some degree of overlap in the requirements articulated by
the security controls within the different families of controls.
AC-20 addresses mobile devices that are not organizationcontrolled.

External information systems are information systems or


components of information systems that are outside of the
authorization boundary established by organizations and for
which organizations typically have no direct supervision and
authority over the application of required security controls or
the assessment of control effectiveness. External information
systems include, for example: (i) personally owned information
This
control enhancement
recognizes
that there
arephones,
systems/devices
(e.g., notebook
computers,
smart
circumstances
where
individuals
using
tablets, personal
digital
assistants);
(ii) external
privatelyinformation
owned
systems
(e.g.,
coalition
partners)
need
access
computing
andcontractors,
communications
devices
resident
in to
commercial
organizational
information
systems.
those situations,
or public facilities
(e.g., hotels,
train In
stations,
convention
organizations
needmalls,
confidence
that the
information
centers, shopping
or airports);
(iii)external
information
systems
systems
contain
the
necessary
security
safeguards
(i.e.,
owned or controlled by nonfederal governmental organizations;
security
controls),
so as not systems
to compromise,
or by,
and (iv) federal
information
that aredamage,
not owned
Limits
on by,
the
use
of organization-controlled
portable
storage
otherwise
harm
organizational
information
Verification
operated
or
under
the direct
supervisionsystems.
and authority
of
devices
external
information
systems
include,
that
the in
required
security
controls
have been
can
organizations.
This
control
also addresses
the implemented
usefor
of example,
external
complete
prohibition
of
the
use
of
such
devices
or
restrictions
be
achieved,
for
example,
by
third-party,
independent
information
systems
for
the
processing,
storage,
or
Non-organizationally owned devices include devices owned by
on
how
the devices
may
used
and
under
whatcontractors)
conditions
assessments,
attestations,
or
other
means,
depending
on the
transmission
of
organizational
information,
including,
for
other
organizations
(e.g.,be
federal/state
agencies,
the
devices
may
be
used.
confidence
level
required
by
organizations.
example,
accessing
cloud
services
(e.g.,
infrastructure
a
and
personally
owned
devices.
Thereinare
risks to
using as
nonNetwork
accessible
storage
devices
external
information
service,
platform
as
a
service,
or
software
as
a
service)
from
organizationally
owned
devices.
In some
cases,
the risk
systems
include,
for example,
online
storage
devices
in is
public,
organizational
information
systems.
For
some
external
sufficiently
high
as
to
prohibit
such
use.
In
other
cases,
it may
hybrid,
or
community
cloud-based
systems.
This
control
applies
thatsystems
may be
restricted
in is
information
information
operated
by
be
such
thatsystems
the useto(i.e.,
ofinformation
non-organizationally
owned
devices
some
manner
(e.g., privileged
information,
contractother
federal
agencies,
organizations
subordinate
allowed
but restricted
inincluding
some medical
way.
Restrictions
include,
for to
sensitive
information,
proprietary
information,
personally
those
agencies),
the
trust
relationships
that
have
been
example: (i) requiring the implementation of organizationidentifiable
information,
classified
related
to special
established
between
those
organizations
and the
originating
approved security
controls
prior
toinformation
authorizing
such
access
programs
or
compartments)
based
on
some
formal
or
organization
may
be
such,
that
no
explicit
terms
and
conditions
connections; (ii) limiting access to certain types of information,
administrative
determination.
Depending
on
the
particular
are
required.
Information (iii)
systems
these organizations
services,
or applications;
usingwithin
virtualization
techniques to
information-sharing
circumstances,
sharing
partners
may when,
be
would
not
be
considered
external.
These
situations
limit processing and storage activities to servers
or occur
other
defined
at
the
individual,
group,
or
organizational
level.
for
example,
there
are
pre-existing
sharing/trust
agreements
system components provisioned by the organization; and (iv)
Information
may
defined
by content,
type,
security
(either
implicit
orbe
explicit)
established
between
federal
agreeing
to terms
and
conditions
for usage.
For
personally
category,
or
special
access
program/compartment.
agencies
or organizations
subordinate
to those
agencies,
or
owned
devices,
organizations
consult with
the Office
of the
when
such
trust
agreements
are
specified
by
applicable
laws,
General Counsel regarding legal issues associated with using
Executive
Orders,
directives,environments,
or policies. Authorized individuals
such
devices
inwith
operational
for
In accordance
federal laws, Executive including,
Orders, directives,
include,
for
example,
organizational
personnel,
contractors,
or
example,
requirements
for
conducting
forensic
analyses
during
policies, regulations, standards, and/or guidance, the general
other
individuals
with
authorized
access
to
organizational
investigations
after an incident.
public is not authorized
access to nonpublic information (e.g.,
information systems and over which organizations have the
information protected under the Privacy Act and proprietary
authority to impose rules of behavior with regard to system
information). This control addresses information systems that
access. Restrictions that organizations impose on authorized
are controlled by the organization and accessible to the general
individuals need not be uniform, as those restrictions may vary
public, typically without identification or authentication. The
depending upon the trust relationships between organizations.
posting of information on non-organization information systems
Therefore, organizations may choose to impose different
is covered by organizational policy.
security restrictions on contractors than on state, local, or tribal
governments. This control does not apply to the use of external
information systems to access public interfaces to
organizational
information
systems
(e.g., individuals
accessing
Data
storage objects
include,
for example,
databases,
database
federal
information
through
www.usa.gov).
Organizations
records, and database fields. Data mining prevention and
establish
terms
and conditions
forexample:
the use of
detection
techniques
include,
(i)external
limiting the types
Access control
decisions
(also for
known
as authorization
information
systems
in
accordance
with
organizational
security
of
responses
provided
to
database
queries;
(ii)
limiting
the to
decisions) occur when authorization information
is applied
policies and procedures.
Terms and
conditions
address
as a
number/frequency
of
database
queries
to
increase
the
work
specific
accesses.
In contrast,
access
enforcementprocesses
occurs when
In
distributed
information
systems,
and
minimum:
types
applications
thatauthorization
can be
accessed
on
factor
needed
to of
determine
the
contents
of such
databases;
information
systems
enforce
access
control
decisions.
While
access
control
decisions
may
occur
in
separate
parts
of the it
organizational
information
systems
from
external
information
and
(iii)
notifying
organizational
personnel
when
atypical
is
very common
to have access
control decisions
and access
systems.
In
such
authorization
information
is on
systems;
and
the instances,
highest
security
category
of information
that
database
queries
or accesses
occur.
Thisentity,
control
focuses
the
enforcement
implemented
by
the
same
it
is
not required
transmitted
securely
so
timely
access
control
decisions
can
be
can be processed,
stored, orinformation
transmittedfrom
on external
protection
of
organizational
data
mining
while
and
it is not
always
an optimal
implementation
choice.
For
enforced
at the
appropriate
locations.
To support
the
information
systems.
If terms
and conditions
with
theaccess
owners
of
such
information
resides
in organizational
data
stores.
In
some
architectures
and
distributed
information
systems,
control
decisions,
it
may
be
necessary
to
transmit
as
part
of
the
external
information
systems
cannot
be
established,
contrast,
AU-13 focuses
on monitoring
for organizational
different
entities
mayinformation,
perform
access
control
decisions and
access
authorization
supporting
security
organizations
may
impose
restrictions
on
information
that
may
have
been
mined
ororganizational
otherwise
obtained
access
enforcement.
attributes.
This isthose
dueisto
the available
fact
that in
information
personnel
using
external
systems.
from data stores
and
now
as distributed
open source

In certain situations, it is important that access control


decisions can be made without information regarding the
identity
of the
users issuinginternally
the requests.
These
are generally
Information
is represented
within
information
instances
where
preserving known
individual
privacy
is of paramount
systems using
abstractions
as data
structures.
Internal
importance.
In
other
situations,
user
identification
information
data
structures
can
represent
different
types
of
entities,
This
control
addresses
the
establishment
of policyand,
and both
is
simply
not
neededActive
for
access
control
decisions
active
and
passive.
entities,
also
known
as
subjects,
are
procedures
the
effective
implementation
of selected
especially
infor
the
case
of distributed
information
systems,
typically
associated
with
individuals,
devices,
or
processes
security
controls
and
control enhancements
in the
AT family.
transmitting
suchof
information
with
the needed
degree
of
acting
on
behalf
individuals.
Passive
entities,
also
known
as
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
assurance
may
be
very
expensive
or
difficult
to
accomplish.
objects,
are typically
associatedpolicies,
with data
structures
such as
Orders, directives,
regulations,
standards,
and
records,
buffers,
tables,
files,
inter-process
pipes,
and
guidance. Security program policies and procedures at the
communications
Reference
monitors
typically enforce
organization levelports.
may make
the need
for system-specific
mandatory
access
control
policiesa
type
of access
control
policies and procedures unnecessary. The policy
can be
that
restricts
access
to general
objects based
on thesecurity
identitypolicy
of subjects
included
as part
of the
information
for
or
groups
to
which
the
subjects
belong.
The
access
controls
organizations or conversely, can be represented by multiple are
mandatory
because
subjects
with
certain
privileges
(i.e.,
policies reflecting
the
complex
nature
of certain
organizations.
access
permissions)
are
restricted
from
passing
those
The procedures can be established for the security program in
privileges
onfor
to particular
any other information
subjects, either
directly
or
general and
systems,
if needed.
The
indirectlythat
the information
system
strictly
enforces
organizational riskis,management
strategy
is a
key factor
in
the
access control
based on the rule set established by
establishing
policy policy
and procedures.
the policy. The tamperproof property of the reference monitor
prevents adversaries from compromising the functioning of the
Organizations
determine
the appropriate
ofadversaries
security
mechanism. The
always invoked
propertycontent
prevents
awareness
training
security and
awareness
techniques
from bypassing
the and
mechanism
hence violating
thebased
on
the
specific
organizational
requirements
and
the
information
security policy. The smallness property helps to ensure the
systems
to which
personnel
authorized
access.
The
completeness
in the
analysishave
and testing
of the
mechanism
to
content
includes
a
basic
understanding
of
the
need
for
detect weaknesses or deficiencies (i.e., latent flaws) that would
information
and user
actions
to maintain
security and
prevent the security
enforcement
of the
security
policy.
to respond to suspected security incidents. The content also
addresses awareness of the need for operations security.
Security awareness techniques can include, for example,
displaying
posters, may
offering
supplies
inscribedno-notice
with security
Practical exercises
include,
for example,
social
reminders,
generating
email
advisories/notices
from
senior
engineering attempts to collect information, gain unauthorized
organizational
officials,
logonof
screen
messages,
and
access,
orindicators
simulate
the displaying
adverse
opening
malicious
Potential
and
possibleimpact
precursors
of insider
threat
conducting
information
security
awareness
events.
email
attachments
or invoking,
via spear phishing
attacks,
can include
behaviors
such as inordinate,
long-term
job
malicious
web
links.
dissatisfaction,
attempts
to
gain
access
to
information
not
Organizations determine the appropriate content of security
required
for
job
performance,
unexplained
access
to
financial
training based on the assigned roles and responsibilities of
resources,
sexualsecurity
harassment
of fellow of
employees,
individuals bullying
and the or
specific
requirements
workplace
violence,
and
other
serious
violations
of
organizations and the information systems to which personnel
organizational
policies,
rules,
or
have authorized
access.procedures,
In addition,directives,
organizations
provide
practices.
Security
awareness
training
includes
how
to
enterprise architects, information system developers, software
communicate
employee and management
concerns
regarding
developers, acquisition/procurement
officials,
information
potential
indicators
of
insider
threat
through
appropriate
system managers, system/network administrators, personnel
organizational
channels inmanagement
accordance with
conducting configuration
and established
auditing activities,
organizational
policies
and
procedures.
personnel
performing
independent
verification
and
validation
Environmental controls include, for example, fire
suppression
activities,
security
control assessors,
and systems,
other personnel
and detection
devices/systems,
sprinkler
handheld
having
access
to
system-level
software,
adequate
securityfire
extinguishers,
fixed
fire
hoses,
smoke
detectors,
Physical
security controls
include, for tailored
example,
access
related
technical
training
specifically
forphysical
their
assigned
temperature/humidity,
HVAC,
and power
within
the
facility.
control
devices,
physical
intrusion
alarms,
duties.
Comprehensive
role-based
training
addresses
Organizations
identify personnel
with
specific
roles
and
monitoring/surveillance
equipment,
and
security
guards
Practical
exercises
may
include,
for
example,
security
training
management,
operational,
and
technical
roles
and
responsibilities
associated
with
environmental
controls
(deployment
and
operating
procedures).
Organizations
identify
for
software
developers
that
includes
simulated
attacks
responsibilities
covering
physical,
personnel,
andcyber
technical
requiring
specialized
training.
personnel
with
roles vulnerabilities
and responsibilities
associated
exploiting
software
(e.g.,can
buffer
safeguardscommon
andspecific
countermeasures.
Such training
include for
with
physical
security
controls
requiring
specialized
overflows),
or spear/whale
phishing
targeted
at
senior
example, policies,
procedures,
tools,attacks
and artifacts
fortraining.
the
leaders/executives.
These
types
of practical
exercises
help
organizational security
roles
defined.
Organizations
also
developers
understand
of such
vulnerabilities
provide the better
training
necessarythe
for effects
individuals
to carry
out their
and
appreciate related
the need
security and
coding
standards
and
responsibilities
tofor
operations
supply
chain security
processes.
within the context of organizational information security

A well-trained workforce provides another organizational


safeguard that can be employed as part of a defense-in-depth
strategy
to protect
against
malicious
code
Documentation
for organizations
specialized training
may
be maintained
by
coming
in
to
organizations
via
email
or
the
web
applications.
individual supervisors at the option of the organization.
Personnel are trained to look for indications of potentially
suspicious email (e.g., receiving an unexpected email,
receiving an email containing strange or poor grammar, or
receiving an email from an unfamiliar sender but who appears
to be from a known sponsor or contractor). Personnel are also
trained on how to respond to such suspicious email or web
communications (e.g., not opening attachments, not clicking on
embedded web links, and checking the source of email
This
control For
addresses
the establishment
of policy
addresses).
this process
to work effectively,
all and
procedures
for personnel
the effective
of selected
organizational
areimplementation
trained and made
aware of what
security
controls
and
control
enhancements
in
the
AU family.
constitutes suspicious communications. Training
personnel
on
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
how to recognize anomalous behaviors in organizational
Orders,
directives,
regulations,
policies,
standards,
and
information
systems
can potentially
provide
early warning
for
guidance.
Security
program
policies
and
procedures
at
the
the presence of malicious code. Recognition of such anomalous
organization
level may make
the needcan
for supplement
system-specific
behavior by organizational
personnel
policies
and
procedures
unnecessary.
The
policy
cantools
be and
automated malicious code detection and protection
included
as
part
of
the
general
information
security
policy
for
systems employed by organizations.
organizations or conversely, can be represented by multiple
policies reflecting the complex nature of certain organizations.
The procedures can be established for the security program in
general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in
establishing policy and procedures.
An event is any observable occurrence in an organizational
information system. Organizations identify audit events as
those events which are significant and relevant to the security
of information systems and the environments in which those
systems operate in order to meet specific and ongoing audit
needs. Audit events can include, for example, password
changes, failed logons, or failed accesses related to information
systems, administrative privilege usage, PIV credential usage,
or third-party credential usage. In determining the set of
auditable events, organizations consider the auditing
appropriate for each of the security controls to be
implemented. To balance auditing requirements with other
information system needs, this control also requires identifying
that subset of auditable events that are audited at a given
point in time. For example, organizations may determine that
information systems must have the capability to log every file
access
boththe
successful
andorganizations
unsuccessful,believe
but notshould
activate
Over time,
events that
bethat
capability
except
for specific
circumstances
due
toset
theof
audited may
change.
Reviewing
and updating
the
potential
burden
on
system
performance.
Auditing
audited events periodically is necessary to ensure that the
requirements,
including
the need
for auditable events, may be
current set is still
necessary
and sufficient.
referenced in other security controls and control
Audit
record content
that may also
be necessary
to satisfyevents
the
enhancements.
Organizations
include auditable
requirement
of this
includes,
for
example,
timeOrders,
stamps,
that are required
bycontrol,
applicable
federal
laws,
Executive
source
andpolicies,
destination
addresses,
user/process
identifiers,
directives,
regulations,
and
standards. Audit
records
event
indications,
filenames
involved,
can bedescriptions,
generated atsuccess/fail
various levels
of abstraction,
including
at
and
access level
control
flow control
rules invoked.
Event
the packet
as or
information
traverses
the network.
outcomes
canappropriate
include indicators
event success
or failure
and
Selecting the
level ofofabstraction
is a critical
aspect
event-specific
results and
(e.g.,can
thefacilitate
security the
state
of the information
of an audit capability
identification
of root
system
after
the event
occurred). consider in the definition of
causes to
problems.
Organizations

Detailed information that organizations may consider in audit


records includes, for example, full text recording of privileged
commands
the individual
identities
ofthe
group
account
users.
This controlor
enhancement
requires
that
content
to be
Organizations
consider
limiting
the additional
information
captured in audit
records
be configured
from aaudit
central
location
to
only
that
information
explicitly
needed
for
specific
audit
(necessitating
automation).
Organizations
coordinate
the
Organizations
consider
the types
auditing
be performed
requirements.
This facilitates
the of
use
of audittotrails
and audit
selection
of required
auditrequirements
content
to support
the centralized
and
the
audit
processing
when
allocating
audit
logs
by
not
including
information
that
could
potentially
be
management
andAllocating
configuration
capability
provided
by the
storage
capacity.
sufficient
audit
storage
capacity
Off-loading
is
acould
process
designed
preserve
the confidentiality
misleading
or
make
it more to
difficult
to locate
information
information
system.
reduces
the
likelihood
of
such
capacity
being
exceeded
and
and
integrity of audit records by moving the records from
the
of interest.
resulting
in
the
potential
loss
or
reduction
of
auditing
capability.
primary
information
system
to
a
secondary
or
alternate
Audit processing failures include, for example,
system.
It is a common
process
in in
information
systems with
software/hardware
errors,
failures
the audit capturing
limited
audit
storage
capacity;
the
audit
storage
is used or
only in
mechanisms, and audit storage capacity being reached
a
transitory
fashion
until
the
system
can
communicate
with
exceeded. Organizations may choose to define additional the
secondary
alternate
system
designated
for(e.g.,
storing
audit
actions for or
different
audit
processing
failures
by the
type,
by
records,
at
which
point
the
information
is
transferred.
location, by severity, or a combination of such factors). This
control applies to each audit data storage repository (i.e.,
Organizations
may have
multiple
audit data
storage
distinct information
system
component
where
audit records are
repositories
distributed
across multiple
system
stored), the total
audit storage
capacityinformation
of organizations
(i.e.,
components,
with
each
repository
having
different
storage
all
audit
data
storage
repositories
combined),
or
both.
Alerts provide organizations with urgent messages. Real-time
volume
capacities.
alerts provide
these messages at information technology speed
(i.e.,
the time from
detectiontotoreject
alert or
occurs
seconds
Organizations
have event
the capability
delayinthe
or
less).
processing of network communications traffic if auditing such
traffic
is determined
to exceed
the storage
of the
Organizations
determine
the types
of audit capacity
failures that
can
information
system
audit
function.
The
rejection
or
delay
trigger automatic information system shutdowns or degraded
response
is Because
triggeredof
bythe
theimportance
establishedoforganizational
traffic
operations.
ensuring
Audit
review,
analysis,
and
reporting
covers
information
volume
thresholds
which
can
be
adjusted
based
on
changes
to
mission/business
continuity,
organizations
may determine
that
security-related
auditing
performed
by
organizations
including,
audit
storage
capacity.
the
nature
of auditing
the
auditthat
failure
is not
so severe
that of
it warrants
for example,
results
from
monitoring
account a
complete
shutdown
of
the
information
system
supporting
the
usage, remote access, wireless connectivity, mobile device
core
organizational
missions/business
operations.
In
those
connection, configuration settings, system component
instances,
information system
shutdowns
operating in
inventory, partial
use of maintenance
tools and
nonlocalor
maintenance,
a
degraded
modetemperature
with reduced
capability
may
be viabledelivery
physical
access,
and
humidity,
equipment
alternatives.
Organizational
processes benefiting
integrated
audit
and removal, communications
at thefrom
information
system
review,
analysis,
and
reporting
incident
boundaries,
use of
mobile
code,include,
and usefor
of example,
VoIP. Findings
can
response,
continuous
monitoring,
contingency
planning,
and
be reported
to organizational
entities
that include,
for example,
Inspector
General team,
audits.help desk, information security
incident response
group/department. If organizations are prohibited from
Organization-wide
situational
includes
awareness
reviewing and analyzing
auditawareness
information
or unable
to conduct
across
all
three
tiers
of
risk
management
(i.e.,
organizational,
such activities (e.g., in certain national security applications or
mission/business
process,for
and
information
system)
Automated
mechanisms
centralized
reviews
analyses
systems), the
review/analysis
may
be carried
outand
byand
other
supports
cross-organization
awareness.
include,
for example,
Information Management
organizations
grantedSecurity
such authority.
products.
This control enhancement does not require vulnerability
scanning, the generation of performance data, or information
system
monitoring.
Rather,audit
the enhancement
requires
The correlation
of physical
information and
audit that
logs the
analysis
of
information
being
otherwise
produced
in
these
from information systems may assist organizations in
areas
is integrated
with
the analysis
of auditor
information.
identifying
examples
of
suspicious
behavior
supporting
Organizations
specify
permitted
actions
for information
system
Security
Event
and
Information
Management
System tools
can
evidence
of
such
behavior.
For
example,
the
correlation
of an
processes,
roles,
and/or
users
associated
with
the
review,
facilitate
audit
record
aggregation/consolidation
from
multiple
individuals
identity for
logical
accessthrough
to certain
information
analysis,
andsystem
reporting
of audit
records
account
This
control
enhancement
requires
distinct
environment
for
information
components
as awell
as audit
record that
systems
with
the
additional
physical
security
information
management
techniques.
Specifying
permitted
actions
on
audit
the
dedicated
analysis
ofThe
audit
information
related
to privileged
correlation
andwas
analysis.
use
ofat
standardized
audit
record
the
individual
actually
present
the
facility
when
the
information
is compromising
a developed
way to enforce
theinformation
principle(with
ofon
least
privilege.
users
without
analysis
scripts
bysuch
organizations
localized
logical
access
occurred,
may
prove
to be
useful
inthe
Permitted
actions
are
enforced
by
the
information
system
and
information
system as
where
the users
have elevated
privileges
script
adjustments,
necessary)
provides
more cost-effective
investigations.
include,
for
example,
read,
write,
execute,
append,
and
delete.
including
thefor
capability
toaudit
execute
privileged
commands.
Full
approaches
analyzing
record
information
collected.
text
analysis refers
to analysis
that considers
the
full text of
The correlation
of audit
record information
with
vulnerability
privileged
commands is
(i.e.,
commands
and all parameters)
as
scanning information
important
in determining
the veracity
opposed
to analysis
only
the name
of the
of vulnerability
scansthat
andconsiders
correlating
attack
detection
events

Nontechnical sources include, for example, human resources


records documenting organizational policy violations (e.g.,
sexual
harassment
incidents,
improper
useaudit
of organizational
The frequency,
scope,
and/or depth
of the
review,
information
assets).
Such
information
can
lead
organizations
to
analysis, and reporting may be adjusted to meet organizational
a
more
directed
analytical
effort
to
detect
potential
malicious
needs
based on is
new
information
received.
Audit
a process
that manipulates
audit
insiderreduction
activity. Due
to the sensitive
nature of collected
the information
information
and
organizes
such
information
in
a
summary
available from nontechnical sources, organizations limit access
format
is more meaningful
analysts.
Audit
reduction and
to suchthat
information
to minimize to
the
potential
for the
report
generation
capabilities
do not always
emanate
from the
inadvertent
release
of privacy-related
information
to individuals
same
information
system
or
from
the
same
organizational
that do not have a need to know. Thus, correlation of
entities
conducting
auditing activities.
reduction
information
from nontechnical
sources Audit
with audit
information
capability
can
include,
for
example,
modern
data
mining
generally occurs only when individuals are suspected
of being
Events
of
interest
can
be
identified
by
the
content
of
specific
techniques
with
advanced
data
filters
to
identify
anomalous
involved in a security incident. Organizations obtain legal
audit
fields
including,
example,
identities
of
behavior
in audit
records.
Thefor
report
generation
capability
advicerecord
prior
to
initiating
such
actions.
individuals,
event
types,
event
locations,
event
times,
event
provided
by
the
information
system
can
generate
customizable
Sorting and searching of audit records may be based upon
the
dates,
system
resources
involved,
IP
addresses
involved,
reports.
Time
ordering
of
audit
records
can
be
a
significant
contents of audit record fields, for example: (i) date/time or
of
information
objects
accessed.
Organizations
may
define
issue
if the
granularity
of the
timestamp
in the
record
is audit
events;
(ii) user
identifiers;
(iii)
Internet Protocol
(IP)
addresses
Time
stamps
generated
by
the
information
system
include
date
event
criteria
to
any
degree
of
granularity
required,
for
insufficient.
involved
in
the
event;
(iv)
type
of
event;
or
(v)
event
and
time. locations
Time is commonly
innetworking
Coordinated
example,
selectableexpressed
by general
location
success/failure.
Universal
Time
(UTC),
a
modern
continuation
Greenwich
(e.g., by network or subnetwork) or selectableofby
specific
Mean
Time (GMT),
local time with an offset from UTC.
information
systemorcomponent.
Granularity of time measurements refers to the degree of
synchronization between information system clocks and
reference clocks, for example, clocks synchronizing within
This
control
uniformity
of time stamps
hundreds
of enhancement
milliseconds orprovides
within tens
of milliseconds.
for
informationmay
systems
with
multiple
system
clocks and
Organizations
define
different
time
granularities
for
systems
over a network.
different connected
system components.
Time service can also be critical
to other security capabilities such as access control and
identification and authentication, depending on the nature of
the mechanisms used to support those capabilities.

Audit information includes all information (e.g., audit records,


audit settings, and audit reports) needed to successfully audit
information
activity.
This control
on technical
This control system
enhancement
applies
to the focuses
initial generation
of
protection
of
audit
information.
Physical
protection
of
audit
audit trails (i.e., the collection of audit records that represents
information
is addressed
byused
media
controls and
the
audit
information
to be
forprotection
detection,
and
This
control
enhancement
helps
to
ensure
that analysis,
a compromise
physical
and
environmental
protection
controls.
reporting
purposes)
and
to
the
backup
of
those
audit
trails.
of the information system being audited does not also resultThe
in
enhancement
does
not
apply
to the initial generation of audit
a
compromise
of
the
audit
records.
Cryptographic
used
foraudit
protecting
the integrity
of
records prior tomechanisms
being written
to an
trail. Write-once,
readaudit
include,
for example,
signed
hash functions
many information
(WORM) media
includes,
for example,
Compact
Diskusing
asymmetric
cryptography
enabling
distribution
of the and
Individuals
privileged
access
to Disk-Recordable
an information system
Recordable with
(CD-R)
and Digital
Video
(DVD-R).
public
key
tothe
verify
the
hash
information
while
maintaining
the
who
are
also
the
subject
of an
audit
by that
system,
may such
affect
In contrast,
use
of switchable
write-protection
media
confidentiality
of
the
secret
key
used
to
generate
the
hash.
the
reliability
of
audit
information
by
inhibiting
audit
activities
as
on
tape cartridges
or
Universal
Serial
Bus (USB)
drives
Organizations
may
choose
different
selection
options
for
or
modifying
audit
records.
This
control
enhancement
results
in
write-protected,
but
not
write-once,
media.
different types of audit information. Dual authorizationrequires
that
privileged
access
beapproval
further defined
between audit-related
mechanisms
require
the
of two authorized
individuals
Restricting
privileged
user
authorizations
to read-only
helps
privileges
and
other
privileges,
thus
limiting
the users
with asto
in
order
to
execute.
Dual
authorization
may
also
be
known
limit
the
potential
damage
to
organizations
that
could
be
audit-related
privileges.
two-person
initiated
by control.
such users
(e.g.,
deleting
records to cover
up
Types of individual
actions
covered
byaudit
non-repudiation
include,
malicious
activity).
for example, creating information, sending and receiving
messages, approving information (e.g., indicating concurrence
or signing a contract). Non-repudiation protects individuals
against later claims by: (i) authors of not having authored
particular documents; (ii) senders of not having transmitted
messages; (iii) receivers of not having received messages; or
(iv) signatories of not having signed documents. Non-

This control enhancement supports audit requirements that


provide organizational personnel with the means to identify
who produced specific information in the event of an
information transfer. Organizations determine and approve the
strength of the binding between the information producer and
the information based on the security category of the
information and relevant risk factors.
This control enhancement prevents the modification of
information between production and review. The validation of
bindings can be achieved, for example, by the use of
cryptographic checksums. Organizations determine if
validations are in response to user requests or generated
automatically.
Chain of custody is a process that tracks the movement of
evidence through its collection, safeguarding, and analysis life
cycle
by documenting
eachprevents
person who
handled the evidence,
This control
enhancement
the modification
of
the
date
and
time
it
was
collected
or
transferred,
and
information between review and transfer/release. The the
purpose
for
transfer.
theachieved,
reviewer for
is aexample,
human orby
if the
the use
validation
ofthe
bindings
canIf be
review
function
is
automated
but
separate
from
the
of cryptographic checksums. Organizations determine
release/transfer
system
associates
validations are infunction,
responsethe
to information
user requests
or generated
the
identity
of
the
reviewer
of
the
information
to
be
released
automatically.
with the information and the information label. In the case of
human reviews, this control enhancement provides
organizational officials the means to identify who reviewed and
released the information. In the case of automated reviews,
Organizations
retain audit ensures
records until
it is determined
that
this control enhancement
that only
approved review
they
are no
needed for administrative, legal, audit, or
functions
arelonger
employed.
other
operational
purposes.
This includes,
for facilitate
example,the
Measures employed by organizations
to help
retention
and
availability
of
audit
records
relative
to Freedom of
retrieval of audit records include, for example, converting
Information
Act
(FOIA)
requests,
subpoenas,
and
law
records
to newer
retaining
capable of
Audit
records
canformats,
be generated
fromequipment
many different
enforcement
actions.
Organizations
develop
standard
reading
the
records,
and
retaining
necessary
documentation
to
information
system
components.
The
list
oftypes
audited
events is
categories
of
audit
records
relative
to
such
of
actions
and
help
organizational
personnel
understand
to interpret
the
the
set
ofresponse
events for
which audits
are to
behow
generated.
These
standard
processes
for each
type
of
action. The
records.
events
typically
a subset
ofAdministration
all events for which
the
Nationalare
Archives
and
Records
(NARA)
General
information
system
is
capable
of
generating
audit
records.
Records Schedules provide federal policy on record retention.

Audit trails are time-correlated if the time stamps in the


individual audit records can be reliably related to the time
stamps
in other audit
to achieve
a time ordering
of the
Audit information
thatrecords
is normalized
to common
standards
records
within
organizational
tolerances.
promotes interoperability and exchange of such information
between
dissimilar
devicesenables
and information
systems.
This or
This control
enhancement
organizations
to extend
facilitates
production
of
event
information
that
can
be
more
limit auditing as necessary to meet organizational
readily
analyzed
and correlated.
Standard
formats information
for audit
requirements.
Auditing
that
is limited
to
conserve
Open
source
information
includes,
forlog
example,
social
records
include,
for
example,
system
records
and
system
resources
be extended to address certainaudit
threat
networking
sites. may
records
compliant
with
Commonmay
Event
(CEE). Ifset
situations. In addition, auditing
be Expressions
limited to a specific
Automated
canreduction,
include, for
example,
logging
mechanisms
information
systems
doautomated
not
of events
tomechanisms
facilitatewithin
audit
analysis,
and
reporting.
scripts
toto
monitor
posts
on selected
websites,
and
conform
standardized
formats,
systems
may
convert
Organizations
can new
establish
time
thresholds
in which
audit
commercial
services
providing
notifications
and
alerts
to
individual
audit
records
into
standardized
formats
when
actions are changed, for example, near real-time, within
organizations.
compiling
system-wide
audit
trails.
minutes, or within hours.

Session audits include, for example, monitoring keystrokes,


tracking websites visited, and recording information and/or file
transfers. Session auditing activities are developed, integrated,
and used in consultation with legal counsel in accordance with
applicable federal laws, Executive Orders, directives, policies,
regulations, or standards.

Since an alternate audit capability may be a short-term


protection employed until the failure in the primary auditing
capability
is corrected,
may determine
that the of
When organizations
useorganizations
information systems
and/or services
alternate
audit
capability
need
only
provide
a
subset
of the a
external organizations, the auditing capability necessitates
primary
audit
functionality
that
is
impacted
by
the
failure.
coordinated
approach across
organizations.
Forisexample,
This control enhancement
applies
when there
a need to be
maintaining
the
identity
of
individuals
that
requested
particular
able to trace actions that are performed across organizational
services
across
organizational
boundaries may often be very
boundaries
to adistributed
specific individual.
Because
of the
ofhave
the audit
information,
difficult, and
doing so may nature
prove to
significant
cross-organization
sharing
of
audit
information
performance ramifications. Therefore, it is oftenmay
the be
case that
essential
for
effective
analysis
of
the
auditing
being
performed.
This
control addresses
the establishment
of policy
and
cross-organizational
auditing
(e.g., the type
of auditing
For
example,
the
audit
records
of
one
organization
may
not
procedures
for the effective
implementation
of selected
capability provided
by service-oriented
architectures)
simply
provide
information
to determine
the
appropriate
security
controls
and
control
enhancements
in the
CA
capturessufficient
the identity
of
individuals
issuing requests
atfamily.
the or
inappropriate
use
of
organizational
information
resources
by
Policy
and procedures
reflect
applicable
federal
laws,record
Executive
initial information
system,
and
subsequent
systems
that
individuals
in
other
organizations.
In
some
instances,
only
the
Orders,
directives,
regulations,
policies, standards,
the requests
emanated
from authorized
individuals.and
home
organizations
of individuals
have
appropriate
guidance.
Security program
policies
andthe
procedures
at the
knowledge
to
make
such
determinations,
thus
requiring
the
organization level may make the need for system-specific
sharing
of
audit
information
among
organizations.
policies and procedures unnecessary. The policy can be
included as part of the general information security policy for
organizations or conversely, can be represented by multiple
policies reflecting the complex nature of certain organizations.
The procedures can be established for the security program in
general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in
establishing policy and procedures.
Organizations assess security controls in organizational
information systems and the environments in which those
systems operate as part of: (i) initial and ongoing security
authorizations; (ii) FISMA annual assessments; (iii) continuous
monitoring; and (iv) system development life cycle activities.
Security assessments: (i) ensure that information security is
built into organizational information systems; (ii) identify
weaknesses and deficiencies early in the development process;
(iii) provide essential information needed to make risk-based
decisions as part of security authorization processes; and (iv)
ensure compliance to vulnerability mitigation procedures.
Assessments are conducted on the implemented security
controls from Appendix F (main catalog) and Appendix G
(Program Management controls) as documented in System
Security Plans and Information Security Program Plans.
Organizations can use other types of assessment activities
such as vulnerability scanning and system monitoring to
maintain the security posture of information systems during
the entire life cycle. Security assessment reports document
assessment results in sufficient detail as deemed necessary by

Independent assessors or assessment teams are individuals or


groups who conduct impartial assessments of organizational
information
systems.
Impartiality
implies
that assessors
are
Organizations
can employ
information
system
monitoring,
free
from
any assessments,
perceived or actual
conflicts
interest
with
insider
threat
malicious
user of
testing,
and
other
regard
to
the
development,
operation,
or
management
of the
forms
of
testing
(e.g.,
verification
and
validation)
to
improve
Organizations
may
often rely
on assessments
of specific
organizational
information
systems
under
assessment
to the
readiness
bysystems
exercising
organizational
capabilities
and or
information
by
other
(external)
organizations.
Utilizing
determination
of
security
control
effectiveness.
To
achieve
indicating
current
performance
levels
asexisting
a meansassessment
of focusing
such
existing
assessments
(i.e.,
reusing
This
control
applies
to dedicated
connections
impartiality,
assessors
should
not:
(i) create
a between
mutual
or
actions
to
improve
security.
Organizations
conduct
assessment
evidence)
can
significantly
decrease
the
time
and
resources
information
systems
(i.e.,
system
interconnections)
does
conflicting
with
the
organizations
wherelaws,
theand
activities
ininterest
accordance
with
applicable
federal
Executive
required
for
organizational
assessments
by limiting
the
amount
not
apply
to
transitory,
user-controlled
connections
such
as
assessments
are
being
conducted;
(ii)
assess
their
own
work;
Orders,
directives,
policies, regulations,
and
standards. need
of
independent
assessment
activities
that
organizations
email
and
website
browsing.
Organizations
carefully
consider
(iii)
act
as
management
or
employees
of
the
organizations
Authorizing
officials
approve
the assessment
methods
inin they
to
perform.
The
factors
that
organizations
may
consider
the
risks
that
may
be
introduced
when
information
systems
are
are
serving;
or
(iv)
place
themselves
in
positions
of
advocacy
coordination
with the to
organizational
risk executive
function.
determining
whether
accept
assessment
results
from
connected
to
other
systems
with
different
security
for
the organizations
acquiring vulnerabilities
their services. uncovered
Independent
Organizations
can incorporate
during
external
organizations
can controls,
vary.
Determinations
for accepting
requirements
and
security
both
within
organizations
assessments
can
be
obtained
from
elements
within
assessments
into
vulnerability
remediation
processes.
assessment
based
on,
example,
past
and
externalresults
to
Authorizing
officials
determine
organizations
ororganizations.
cancan
be be
contracted
tofor
public
or private
sector
assessment
experiences
one
organization
has
had
with
another
the
risk outside
associated
with information
system connections
and
entities
of organizations.
Authorizing
officials
determine
organization,
the
reputation
that
organizations
have
with
the
appropriate
controls
employed.
If
interconnecting
systems
required
level
of
independence
based
on
the
security
Organizations
typically do
not
have
controlofover
external
regard
to same
assessments,
the
level
ofand/or
detail
supporting
have
the
authorizing
official,
organizations
do
not
need
categories
of
information
systems
the
ultimate
risk
to to
networks
(e.g.,
the Internet).provided,
Approvedorboundary
protection
assessment
documentation
mandates
imposed
develop
Interconnection
Security
Agreements.
Instead,
organizational
operations,
organizational
assets,
or
individuals.
devices
(e.g., routers,
firewalls)
mediate
communications
(i.e.,
Organizations
typically
do
not
have
control
overofexternal
upon
organizations
by
federal
legislation,
policies,
or directives.
organizations
can
describe
the
interface
characteristics
Authorizing
officials
also
determine
if
thenational
level
assessor
information
flows)
between
unclassified
security
networks
(e.g.,provides
the Internet).
Approved
boundary
protection
between
those
interconnecting
systems
in their
respective
independence
sufficient
assurance
that
the
resultsisare
systems
and
external
networks.
This
control
enhancement
devices
(e.g.,
routers,
firewalls)
mediate
communications
(i.e.,
Organizations
typically
do
not
have
control
over
external
security
plans.
If
interconnecting
systems
have
different
sound and
be used to processing,
make credible,
risk-based
decisions.
required
forcan
organizations
storing,
or transmitting
information
flows)
between
classified
national
security
systems
networks
(e.g.,
the Internet).
boundary
protection
authorizing
officials
within
theApproved
samecontracted
organization,
organizations
This
includes
determining
whether
security
Controlled
Unclassified
Information
(CUI).
and
external
networks.
In addition,
approved
boundary
devices
(e.g.,
routers,
firewalls)
mediate
communications
(i.e.,
can
either
develop
Interconnection
Security
Agreements
assessment
services
have
sufficient
independence,
for or
A
public network
is(typically
any network
accessible
to the general
protection
devices
managed
interface/cross-domain
information
flows)
between
unclassified
non-national
security
describe
the
interface
characteristics
between
systems
in
the
example,
when
information
system
owners
are
not
directly
public
including,
for
example, flow
the Internet
and organizational
systems)
provide
information
enforcement
frominfluence
systems
and
external
networks.
This
control
enhancement
is
security
plans
for
the
respective
systems.
Organizations
may
involved
in
contracting
processes
or
cannot
unduly
extranets
with
public
access.
Organizations
can
constrain
information
system
connectivity
to
information
systems
to
external
networks.
required
for
organizations
processing,
storing,
or
transmitting
also
incorporateof
Interconnection
Securityassessments.
Agreement In
the impartiality
assessors conducting
external
domains
(e.g.,
websites)
by
employing
of two
Controlled
Unclassified
Information
(CUI).
information
into formal
contracts,
especially
for onethat
special situations,
for example,
when
organizations
own
policies
with
regard
to
such
connectivity:
(i)
allow-all,
deny
interconnections
established
between
federal agencies
andby
the information systems
are small
or organizational
structures
exception,
known
blacklisting
(thebyweaker
twoare
nonfederal
(i.e.,
privateassector)
organizations.
Riskof thethat
require thatalso
assessments
are conducted
individuals
policies);
or
(ii)
deny-all,
allow
by
exception,
also
known
as
considerations
also
include
information
systems sharing
the
in the of
developmental,
operational,
or management
of
Plans
action
and
milestones
are
key
documents
inchain
security
whitelisting
(the
stronger
of
the
two
policies).
For
either
policy,
same
networks.
For
certain
technologies
(e.g.,
space,
system
owners,
independence
in
assessment
processes
can
authorization
packages
and
areexceptions,
subject to if
federal
reporting be
organizations
determine
what
any,
are
unmanned
aerial
vehicles,
and
medical
devices),
there
may be
achieved
by
ensuring
that
assessment
results
are
carefully
requirements
established by OMB.
acceptable.
specialized
connections
in place
during preoperational
testing.
reviewed and
analyzed by
independent
teams of experts
to
Such
connections
may require
Interconnection
validate
the completeness,
accuracy,
integrity, Security
and reliability of
Agreements
and be subject
to additional
security controls.
the results. Organizations
recognize
that assessments
performed for purposes other than direct support to
authorization decisions are, when performed by assessors with
sufficient independence, more likely to be useable for such
decisions, thereby reducing the need to repeat assessments.
Security authorizations are official management decisions,
conveyed through authorization decision documents, by senior
organizational officials or executives (i.e., authorizing officials)
to authorize operation of information systems and to explicitly
accept the risk to organizational operations and assets,
individuals, other organizations, and the Nation based on the
implementation of agreed-upon security controls. Authorizing
officials provide budgetary oversight for organizational
information systems or assume responsibility for the
mission/business operations supported by those systems. The
security authorization process is an inherently federal
responsibility and therefore, authorizing officials must be
federal employees. Through the security authorization process,

Continuous monitoring programs facilitate ongoing awareness


of threats, vulnerabilities, and information security to support
organizational risk management decisions. The terms
continuous and ongoing imply that organizations
assess/analyze security controls and information securityrelated risks at a frequency sufficient to support organizational
risk-based decisions. The results of continuous monitoring
programs generate appropriate risk response actions by
organizations. Continuous monitoring programs also allow
organizations to maintain the security authorizations of
information systems and common controls over time in highly
dynamic environments of operation with changing
mission/business needs, threats, vulnerabilities, and
technologies. Having access to security-related information on
a continuing basis through reports/dashboards gives
organizational officials the capability to make more effective
and timely risk management decisions, including ongoing
security authorization decisions. Automation supports more
frequent updates to security authorization packages,
Organizations
can maximize inventories,
the value of and
assessments
of
hardware/software/firmware
other system
security
controls
during theiscontinuous
monitoring
process
by
information.
Effectiveness
further enhanced
when
continuous
requiring
that
such
assessments
be
conducted
by
assessors
monitoring outputs are formatted to provide information thatoris
assessment
teams with
appropriate
levels of
independence
specific, measurable,
actionable,
relevant,
and
timely.
based
on
continuous
monitoring
strategies.
Assessor
Continuous
monitoring
activities
are
scaled
in
accordance
Trend
analysesprovides
can include,
for example,
examining
recentwith
independence
a
degree
of
impartiality
to
the
the
security
categories of information
systems.
threat
information
thesuch
types
of threat events
that
monitoring
process.regarding
To achieve
impartiality,
assessors
have
occurred
within
the
organization
or
across
the
federal
Penetration
testing
is aa mutual
specialized
type of assessment
should not: (i)
create
or conflicting
interest with the
government,
rates
of certain
of cyber
attacks,(ii)
conducted
onsuccess
information
systems
or types
individual
system
organizations
where
the
assessments
are being
conducted;
emerging
vulnerabilities
in
information
technologies,
evolving of
components
to
identify
vulnerabilities
thatare
could
exploited
assess
their own
work; (iii)
act asor
management
orbe
employees
Independent
penetration
agents
teams
individuals
or
social
engineering
techniques,
results
from
multiple
security
by
adversaries.
Such
testing
can
be
used
to
either
validate
the
organizations
they
are
serving;
or
(iv)
place
themselves
in
groups
who
conduct impartial
penetration
testing of
control
assessments,
the
effectiveness
of
configuration
vulnerabilities
or
determine
the
degree
of
resistance
advocacy
positions
for
the
organizations
acquiring
their
organizational
information
Impartiality
that
Red
teamand
exercises
extend
the objectives
penetration
settings,
findings
from systems.
Inspectors
General
orimplies
auditors.
organizational
information
systems
have
toof
adversaries
within
services.
penetration
agents
or
teams
are
free
from
any
perceived
or
testing
by
examining
the security
posture
of organizations
a
set ofconflicts
specified
constraints
(e.g.,
time,
resources,
and/or and
actual
of
interest
with
regard
to
the
development,
their
ability
to implement
effective
cyber
defenses.
such, of
This
control
to connections
between
organizational
skills).
Penetration
testing
attempts
to duplicate
theAs
actions
operation,
orapplies
management
of the information
systems
thattoare
red
team
exercises
reflect
simulated
adversarial
attempts
information
systems
and
(separate)
constituent
system
adversaries
in
carrying
out
hostile
cyber
attacks
against
the
targets oforganizational
the penetration
testing. Supplemental
guidance
compromise
mission/business
functions
and
components
(i.e.,
connections)
including,
organizations
and intra-system
provides
a
more
in-depth regarding
analysis
of for
for
CA-2
(1)
provides
additional
information
provide
a
comprehensive
assessment
of
the
security
state
of
example,
system
connections
devices,
security-related
weaknesses/deficiencies.
Organizations
can
independent
assessments
thatwith
can mobile
be applied
to penetration
information
systems
and
organizations.
Simulated
adversarial
notebook/desktop
printers,
copiers,
facsimile
also
use the resultscomputers,
of vulnerability
analyses
to support
testing.
attempts
toscanners,
compromise
organizational
missions/business
machines,
sensors,
and
servers.
Insteadcan
of be
penetration
testing
activities.
Penetration
testing
functions
and
the
information
systems
that
support
those
authorizing
each
connection,
organizations
conducted on
theindividual
hardware,internal
software,
or firmware
components
missions/functions
may
include
technology-focused
attacks
Security
compliance
checks
may
for
example,
can
internal
connections
for a class
of physical
components
of anauthorize
information
system
and
caninclude,
exercise
both
and
(e.g.,
interactions
with
hardware,
software,
or
firmware
verification
of characteristics
the relevant
configuration.
with
common
configurations,
for
technical
security
controls. baseline
A and/or
standard
method for penetration
components
and/or
mission/business
processes)
and
social
example,
alladdresses
digital
scanners,
and
with
a
testing
includes,
forprinters,
example:
(i) pretest
analysis
based
on full
This
control
the establishment
ofcopiers
policy
and
engineering-based
attacks
(e.g.,
interactions
via
email,
specified
processing,
storage,
and
transmission
capabilityof
or all
knowledge
of
system;
(ii)
pretest identification
procedures
forthe
thetarget
effective
implementation
of selected
telephone,
shoulder
surfing,
or
personal
conversations).
While
smart
phones
with
a
specific
baseline
configuration.
potential
vulnerabilities
based
on
pretest
analysis;
and
(iii)
security
controls
and
control
enhancements
in the CM
family.
penetration
testing
be largely
laboratory-based
testing,
testing
designed
to may
determine
exploitability
of identified
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
organizations
use
team
exercises
provide
more
vulnerabilities.
All red
parties
agree
to thetorules
of engagement
Orders,
directives,
regulations,
policies,
standards,
and
comprehensive
assessments
that
reflect
real-world
conditions.
before the Security
commencement
of
penetration
testing scenarios.
guidance.
program
policies
and
procedures
at
the
Red
team exercises
can the
be used
to improve
security
awareness
Organizations
correlate
penetration
testing
rules
of
organization
leveltomay
make
the of
need
for system-specific
and
training and
assess
levels
security
control
engagement
with the
tools,
techniques,
and
procedures
policies
and
procedures
unnecessary.
The
policy
can be that
effectiveness.
are
anticipated
to
be
employed
by
adversaries
carrying
outfor
included as part of the general information security policy
attacks.
Organizational
risk
assessments
guide
decisions
on the
organizations or conversely, can be represented by multiple
level
of independence
required nature
for personnel
conducting
policies
reflecting the complex
of certain
organizations.
penetration
testing.
The procedures can be established for the security program in
general and for particular information systems, if needed. The

This control establishes baseline configurations for information


systems and system components including communications
and connectivity-related aspects of systems. Baseline
configurations are documented, formally reviewed and agreedupon sets of specifications for information systems or
configuration items within those systems. Baseline
configurations serve as a basis for future builds, releases,
and/or changes to information systems. Baseline configurations
include information about information system components
(e.g., standard software packages installed on workstations,
notebook computers, servers, network components, or mobile
devices; current version numbers and patch information on
Automated
mechanisms
that help organizations
maintain
operating systems
and applications;
and configuration
consistent
baseline configurations
for information
systems
settings/parameters),
network topology,
and the logical
include,
for
example,
hardware
and
software
inventory
tools,
Retaining
of baseline
configurations
to
placementprevious
of thoseversions
components
within the
system
configuration
management
tools,
and
network
management
support
rollback
may include,
for example,
hardware,
software,
architecture.
Maintaining
baseline
configurations
requires
tools.
Such
tools
can beas
deployed
and/or information
allocated
as systems
common
firmware,
configuration
files,
and configuration
records.
creating
new
baselines
organizational
controls,
at the
information
level, orofat
the operating
change over
time.
Baseline system
configurations
information
system
component
level enterprise
(e.g., on workstations,
systemsor
reflect
the current
architecture.servers,
notebook computers, network components, or mobile devices).
Tools can be used, for example, to track version numbers on
operating
system
applications,
types of software
and
Establishing
separate
baseline configurations
for installed,
development,
current
levels. Thisenvironments
control enhancement
can be satisfied
testing, patch
and operational
helps protect
by
the
implementation
of
CM-8
(2)
for
organizations
that
information
systems
from
unplanned/unexpected
events
When
itto
is combine
known
that
information
systems,
system
choose
information
system
component
inventory
related
to development
testing
activities.
Separate
components,
or devices and
(e.g.,
notebook
computers,
mobile
and
baseline
configuration
activities.
baseline
configurations
allow
organizations
to
apply the
devices) will be located in high-risk areas, additional
security
configuration
management
that
most appropriate
eachin
controls may be
implemented
toiscounter
the greaterfor
threat
type
configuration.
Forthe
example,
of operational
such of
areas
coupled with
lack of management
physical security
relative to
configurations
typically
emphasizes
the
need
for
stability,
while
organizational-controlled areas. For example, organizational
management
of
development/test
configurations
requires
policies and procedures for notebook computers used by
greater
flexibility.
Configurations
the from
test environment
mirror
Configuration
change
controls
forinorganizational
information
individuals
departing
on
and returning
travel
include,
for
the
configurations
in
the
operational
environment
to
the
extent
systems
the systematic
proposal,
example,involve
determining
which locations
arejustification,
of concern, defining
practicable
so that
the results
the
are representative
implementation,
testing,
review,
and testing
disposition
of
changes
to
required configurations
for
theof
devices,
ensuring
that
the
of
the
proposed
changes
to
the
operational
systems.
This
the
systems,
including system
upgrades
and
modifications.
devices
are configured
as intended
before
travel
is initiated,
control
enhancement
requires
separate
configurations
but is
not
Configuration
change safeguards
control includes
to baseline
and applying
specific
to thechanges
device
after
travel
necessarily
separate
physical
environments.
configurations
for components
configuration
items
of
completed. Specially
configuredand
notebook
computers
include,
information
changes
to configuration
settings
for
for example,systems,
computers
with sanitized
hard drives,
limited
information
products
(e.g., operating
applications,technology
and additional
hardening
(e.g., moresystems,
stringent
applications,
and
mobile devices),
configuration firewalls,
settings).routers,
Specified
safeguards
applied to mobile
unscheduled/unauthorized
changes,
and for
changes
to remediate
devices upon return from travel
include,
example,
vulnerabilities.
Typical for
processes
managing
configuration
examining the device
signs offor
physical
tampering
and
changes
to information
systems
for example,
purging/reimaging
the hard
disk include,
drive. Protecting
information
Configuration
Control
Boards
approve
changes to
residing on mobile
devices
is that
covered
in theproposed
media protection
systems.
For new development information systems or systems
family.
undergoing major upgrades, organizations consider including
representatives from development organizations on the
Configuration Control Boards. Auditing of changes includes

Changes to information systems include modifications to


hardware, software, or firmware components and configuration
settings defined in CM-6. Organizations ensure that testing
does not interfere with information system operations.
Individuals/groups conducting tests understand organizational
Information
security
can include,
for example,
security policies
and representatives
procedures, information
system
security
senior
agency
information
security
officers,
information
policies and procedures, and the specific health, safety, system
and
security
officers,
or include,
information
system
security
Security
responses
for example,
halting managers.
information
environmental
risks
associated
with
particular
Representation
by personnel
with
information
security
system
processing,
halting
selected
system
functions,
or taken
facilities/processes.
Operational
systems
may
need
to be
expertise
isreplicated
importanttobecause
changes
to information
system
issuing
alerts/notifications
to
organizational
personnel
off-line,
or
the
extent
feasible,
before
testing
can
Regardless
of the
cryptographic
means
employed
(e.g.,when
public
configurations
can
have
unintended
side
effects,
some
of
which
there
is
an
unauthorized
modification
of
a
configuration
item.
be
conducted.
If
information
systems
must
be
taken
off-line
for
key,
private
key, shared secrets),
organizations
ensure
may
be security-relevant.
Detecting
suchduring
changes
earlythat
in the
testing,
the
tests
are
scheduled
to
occur
planned
there
arecan
processes
andunintended,
procedures
in place
to
effectively
Organizational
personnel
with
information
security
process
help
avoid
negative
consequences
system outages
whenever
possible.
If
testing
cannot
be
manage
those
means.
For
example,
if
devices
use
certificates
responsibilities
(e.g., Information
System
Administrators,
that
could ultimately
affectsystems,
the security
state
of organizational
conducted
on
operational
organizations
employ
as
a basis for
identification
and authentication,
there
needs
to
Information
System
Security
Information
System
information
systems.
The
configuration
change
control
element
Separate
test
environment
inOfficers,
thisthe
context
means
an
compensating
controls
(e.g.,
testing
on
replicated
systems).
be
a
process
in
place
to
address
expiration
of
those
Security
Managers,
Information
System
Security
in
this control
enhancement
reflects
the change
control
environment
that
is and
physically
or logically
isolated
and distinct
certificates.
Engineers)
conduct
security
impact
analyses.
Individuals
elements
defined
by
organizations
in
CM-3.
from
the
operational
environment.
The
separation
is
sufficient
Implementation
is this
context
refers possess
to installing
changed
code
conducting
security
impact
analyses
thedo
necessary
to
ensure
that
activities
in
the
test
environment
not
impact
in
the operational information
system.
skills/technical
to analyze
the changes
to information
activities in theexpertise
operational
environment,
and information
in
Any
changes
to
the
hardware,
software,
and/or
firmware
systems
and
the
associated
security
ramifications.
Security to
the operational environment is not inadvertently transmitted
components
of information
systems
can potentially
have
impact
may include,
forenvironments
example,
reviewing
security
the testanalysis
environment.
Separate
can be
achieved
significant
effects
on
the
overall
security
of
the
systems.
plans
to
understand
security
control
requirements
and
by physical or logical means. If physically separate test
Therefore,
organizations
permit
only qualified
and authorized
reviewing
system
documentation
todetermine
understand
environments
are design
not used,
organizations
thecontrol
individuals
to
access
information
systems
for
purposes
of
implementation
and
how
specific
changes
might
affect
the
strength
of that
mechanism
required
implementing
Indications
warrant
review
ofwhen
information
systemlogical
changes
initiating
changes,
including
upgrades
and
modifications.
controls.
Security
impact
analyses
may
also
include
separation
(e.g.,circumstances
separation achieved
through virtual
and
the specific
justifying
reviews
Organizations
records
of access such
to ensure
that
assessments
ofmaintain
risk to better
understand
the
impact
ofmay
the be
machines).
obtained
from
activities
carried
out
by
organizations
during
Software
and to
firmware
components
prevented
from
configuration
change
control
is implemented
and
to installation
support
changes and
determine
if additional
security
controls
are the
configuration
change
process.
unless
signed
withimpact
recognized
and approved
certificates
after-the-fact
actions
should
organizations
discover
any
required.
Security
analyses
are scaled
in accordance
include,
example,
software
and
firmware
updates,
unauthorized
changes.
Access
forversion
change
also
with the for
security
categories
of restrictions
the information
systems.
patches,
service packs,
device
drivers,
and basic
inputfor
output
include software
libraries.
Access
restrictions
include,
system
(BIOS)
updates.
Organizations
can identify
example,
physical
and logical
access controls
(see applicable
AC-3 and PEsoftware
andautomation,
firmware components
by type,
by specific
3), workflow
media libraries,
abstract
layersitems,
(e.g.,
or
a combination
of both.
signatures
and organizational
changes
implemented
intoDigital
third-party
interfaces
rather than
verification
such signatures,
is a and
method
of code
directly intoof
information
systems),
change
windows (e.g.,

Organizations employ dual authorization to ensure that any


changes to selected information system components and
information
cannot occur
unless twosystems
qualified
individuals
In many organizations,
information
support
multiple
implement
such
changes.
The
two
individuals
possess
core missions/business functions. Limiting privileges tosufficient
change
skills/expertise
to determine
if the
proposed
are
information system
components
with
respectchanges
to operational
correct
of approved
changes.
Dual
systemsimplementations
is necessary because
changes
to a particular
authorization
may
also
be
known
as
two-person
control.
information system component may have far-reaching
effects
on mission/business processes supported by the system where
the component resides. The complex, many-to-many
Software libraries
include
privileged
programs.
relationships
between
systems
and mission/business
processes
are in some cases, unknown to developers.

Configuration settings are the set of parameters that can be


changed in hardware, software, or firmware components of the
information system that affect the security posture and/or
functionality of the system. Information technology products for
which security-related configuration settings can be defined
include, for example, mainframe computers, servers (e.g.,
database, electronic mail, authentication, web, proxy, file,
domain name), workstations, input/output devices (e.g.,
scanners, copiers, and printers), network components (e.g.,
firewalls, routers, gateways, voice and data switches, wireless
access points, network appliances, sensors), operating
systems, middleware, and applications. Security-related
parameters are those parameters impacting the security state
of information systems including the parameters required to
Responses
tosecurity
unauthorized
to configuration
settings
satisfy other
controlchanges
requirements.
Security-related
can
include, include,
for example,
alerting (i)
designated
organizational
parameters
for example:
registry settings;
(ii)
personnel,
restoring
established
configuration
or in for
account, file,
directory
permission
settings; andsettings,
(iii) settings
extreme
cases,
halting
affected
information
system
processing.
functions, ports, protocols, services, and remote connections.
Organizations establish organization-wide configuration
settings and subsequently derive specific settings for
information systems. The established settings become part of
Information
can provide
a wide
variety
of functions
the systemssystems
configuration
baseline.
Common
secure
and
services. Some
the functions
and services,
provided by
configurations
(also of
referred
to as security
configuration
default,
may
not be necessary
to support
essential
checklists,
lockdown
and hardening
guides,
security reference
organizational
operations
key missions,
functions).
guides, security
technical (e.g.,
implementation
guides)
provide
Additionally,
it is sometimes
convenient
to benchmarks
provide multiple
recognized, standardized,
and
established
that
services
from
single
information
system
components,
but
doing
stipulate secure configuration settings for specific information
so
increasesplatforms/products
risk over limiting the
provided
by any one
technology
andservices
instructions
for configuring
The
organization
can
either
make
a determination
of the
component.
Where
feasible,
organizations
limit operational
component
those
information
system
components
to meet
relative
security
the function,
port,
protocol,
and/or
functionality
toCommon
aof
single
function
per device
(e.g.,
email
servers
requirements.
secure configurations
can
be service
or
base
the
security
decision
on
the
assessment
of
other
web
servers,
but
not
both).
Organizations
review
functions
developed by a variety of organizations including, for example,
entities.
Bluetooth,
FTP,
and
peer-to-peer
networking
are
and
services
provided
by
information
systems
or individual
information
technology
product
developers,
manufacturers,
examples
of less
than
secure
protocols.
components
of information
systems,
to determine
which and
vendors, consortia,
academia,
industry,
federal agencies,
functions
and services
are public
candidates
for elimination
(e.g.,
other organizations
in the
and private
sectors. Common
Voice
Internet Protocol,
Messaging,
auto-execute,
secureOver
configurations
includeInstant
the United
States Government
and
file sharing).
Organizations
disabling
Configuration
Baseline
(USGCB) consider
which affects
the unused or
unnecessary
physical
and
logical
(e.g.,
implementation
of CM-6
and
otherports/protocols
controls such as
AC-19 and
Universal
Bus,Content
File Transfer
Protocol,
and Hyper
Text
CM-7. TheSerial
Security
Automation
Protocol
(SCAP)
and
Transfer
Protocol)
on information
systems (e.g.,
to prevent
the defined
standards
within the protocol
Common
unauthorized
of devices,
unauthorized
transfer
Configuration connection
Enumeration)
provide an
effective method
toof
information,
or unauthorized
tunneling.
Organizations
can
uniquely identify,
track, and control
configuration
settings.
utilize
network scanning
tools, intrusion
detection
and
OMB establishes
federal policy
on configuration
requirements
prevention
systems, and
end-point protections such as firewalls
for federal information
systems.

Organizations use the registration process to manage, track,


and provide oversight for information systems and
implemented
functions,
ports,
protocols,
and services.
The process used
to identify
software
programs
that are not
authorized to execute on organizational information systems is
commonly referred to as blacklisting. Organizations can
implement CM-7 (5) instead of this control enhancement if
whitelisting (the stronger of the two policies) is the preferred
approach for restricting software program execution.

The process used to identify software programs that are


authorized to execute on organizational information systems is
commonly referred to as whitelisting. In addition to whitelisting,
organizations consider verifying the integrity of white-listed
software programs using, for example, cryptographic
checksums, digital signatures, or hash functions. Verification of
white-listed software can occur either prior to execution or at
system startup.
Organizations may choose to implement centralized
information system component inventories that include
components from all organizational information systems. In
such situations, organizations ensure that the resulting
inventories include system-specific information required for
proper component accountability (e.g., information system
association, information system owner). Information deemed
necessary for effective accountability of information system
components includes, for example, hardware inventory
specifications, software license information, software version
numbers, component owners, and for networked components
or devices, machine names and network addresses. Inventory
specifications include, for example, manufacturer, device type,
model, serial number, and physical location.

Organizations maintain information system inventories to the


extent feasible. Virtual machines, for example, can be difficult
to
monitor
such machines
not visible
the
This
controlbecause
enhancement
is appliedare
in addition
to to
the
network
when
not
in
use.
In
such
cases,
organizations
maintain
monitoring for unauthorized remote connections and mobile
as
up-to-date,
complete,
and
accurate
an
inventory
as
is may
devices. Monitoring for unauthorized system components
deemed
reasonable.
This
control
enhancement
can
be
satisfied
be accomplished on an ongoing basis or by the periodic
by
the implementation
CM-2
(2) for Automated
organizations
that
scanning
of systems forofthat
purpose.
mechanisms
choose
to
combine
information
system
component
inventory
can be implemented within information systems or in other
and
baseline
configuration
separate
devices.
Isolation activities.
can be achieved, for example, by
Identifying
individualsinformation
who are both
responsible
and in
placing unauthorized
system
components
accountable
for administering
information
components
separate domains
or subnets or
otherwise system
quarantining
such
helps
to ensure
that
theofassigned
components
are
properly
components.
This
type
component
isolation is
commonly
administered
organizations can contact those individuals if
referred to as and
sandboxing.
some action is required (e.g., component is determined to be
the source of a breach/compromise, component needs to be
recalled/replaced, or component needs to be relocated).

This control enhancement addresses the potential problem of


duplicate accounting of information system components in
large
or complex
interconnected
systems.
This control
enhancement
focuses
on configuration settings
established by organizations for information system
components,
specific
that
have been assessed
Organizationsthe
may
choosecomponents
to implement
centralized
to
determine
compliance
with
the
required
information system component inventories configuration
that include
settings,
andfrom
any approved
deviations
from established
components
all
organizational
information
systems.of
The
use of automated
mechanisms to track the location
configuration
settings.
Centralized
of information
systemthe
component
information repositories
system components
can increase
accuracy of
inventories
provide
opportunities
for
efficiencies
in
accounting
component
inventories.
Such
capability
may
also
help
Organizations
determine
the software,
criteria for
or types
of information
for
organizational
hardware,
and
firmware
assets.
organizations
rapidly(e.g.,
identify
the location and
responsible
system
components
microprocessors,
motherboards,
Such
repositories
may
also
help
organizations
rapidly
identify
individuals
of system components
that have
been
software,
programmable
logicindividuals
controllers,
and
network
devices)
the
location
and
responsible
of
system
components
compromised,
breached,
or areenhancement.
otherwise in need of mitigation
that
are
subject
to
this
control
that
have been compromised, breached, or are otherwise in
actions.
need of mitigation actions. Organizations ensure that the
resulting centralized inventories include system-specific
information required for proper component accountability (e.g.,
Configuration
management
plans
satisfy the system
requirements
information system
association,
information
owner).in
configuration management policies while being tailored to
individual information systems. Such plans define detailed
processes and procedures for how configuration management
is used to support system development life cycle activities at
the information system level. Configuration management plans
are typically developed during the development/acquisition
phase of the system development life cycle. The plans describe
how to move changes through change management processes,
how to update configuration settings and baselines, how to
maintain information system component inventories, how to
control development, test, and operational environments, and
In
the
dedicated
management teams
how
toabsence
develop,ofrelease,
andconfiguration
update key documents.
assigned
within
organizations,
system
developers
may
be
Organizations can employ templates to help ensure
consistent
tasked
to
develop
configuration
management
processes
using
Software
license
trackingand
can implementation
be accomplishedofby
manual
and timely
development
configuration
personnel
who
are
not
directly
involved
in
system
development
methods
(e.g.,plans.
simple
spreadsheets)
or automated
methods
management
Such
templates can
represent a
master
or
integration.
This
separation
offor
duties
ensures that
(e.g.,
specialized
tracking
applications)
onat large
configuration
management
plan
the depending
organization
organizations
establish
maintain aon
sufficient
degree
of
organizational
needs.
with subsets of
the planand
implemented
a system
by system
independence
between
the
information
system
development
basis. Configuration management approval processes include
and
integration
processes
and configuration
designation
of key
management
stakeholdersmanagement
responsible for
processes
to facilitate
quality
control
and more
effective
reviewing and
approving
proposed
changes
to information
oversight.
systems, and personnel that conduct security impact analyses
prior to the implementation of changes to the systems.
Configuration
items are
the information
items
Open source software
refers
to software system
that is available
in
(hardware,
software,
firmware,
and
documentation)
to
be
source code form. Certain software rights normally reserved for
configuration-managed.
As information
systems
continuelicense
copyright
holders
are routinely
provided
under
software
If
provided
the
necessary
privileges,
users
have
the
ability to
through
the
system
development
life
cycle,
new
configuration
agreements
thatinpermit
individuals
to study, systems.
change,
and
install
software
organizational
information
To items
items
may
besoftware.
identified
andasome
existing
configuration
improve
the
From
security
perspective,
the
major
maintain
control
over
the
types
of
software
installed,
may no longer
needsource
to be under
configuration
control.
advantage
of
open
software
is
that
it
provides
organizations identify permitted and prohibited actions
organizations
with the
ability to Permitted
examine the
sourceinstallations
code.
regarding software
installation.
software
However,
there
are
also
various
licensing
issues
associated
may include, for example, updates and security patches to
with
open
source and
software
including,
for example,
the
existing
software
downloading
applications
from
constraints
on
derivative
use
of
such
software.
organization-approved app stores. Prohibited software
installations may include, for example, software with unknown
or suspect pedigrees or software that organizations consider
potentially malicious. The policies organizations select
governing user-installed software may be organizationdeveloped or provided by some external entity. Policy
enforcement methods include procedural methods (e.g.,
periodic examination of user accounts), automated methods

Privileged status can be obtained, for example, by serving in


the role of system administrator.
This control addresses the establishment of policy and
procedures for the effective implementation of selected
security controls and control enhancements in the CP family.
Policy and procedures reflect applicable federal laws, Executive
Orders, directives, regulations, policies, standards, and
guidance. Security program policies and procedures at the
organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be
included as part of the general information security policy for
organizations or conversely, can be represented by multiple
policies reflecting the complex nature of certain organizations.
The procedures can be established for the security program in
general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in
establishing policy and procedures.
Contingency planning for information systems is part of an
overall organizational program for achieving continuity of
operations for mission/business functions. Contingency
planning addresses both information system restoration and
implementation of alternative mission/business processes
when systems are compromised. The effectiveness of
contingency planning is maximized by considering such
planning throughout the phases of the system development life
cycle. Performing contingency planning on hardware, software,
and firmware development can be an effective means of
achieving information system resiliency. Contingency plans
reflect the degree of restoration required for organizational
information systems since not all systems may need to fully
recover to achieve the level of continuity of operations desired.
Information system recovery objectives reflect applicable laws,
Executive Orders, directives, policies, standards, regulations,
and guidelines. In addition to information system availability,
contingency plans also address other security-related events
resulting in a reduction in mission and/or business
effectiveness, such as malicious attacks compromising the
confidentiality or integrity of information systems. Actions
addressed in contingency plans include, for example,
orderly/graceful degradation, information system shutdown,
fallback to a manual mode, alternate information flows, and
operating in modes reserved for when systems are under
attack. By closely coordinating contingency planning with
incident handling activities, organizations can ensure that the
necessary contingency planning activities are in place and
activated in the event of a security incident.

Plans related to contingency plans for organizational


information systems include, for example, Business Continuity
Plans,
Disaster
Recovery
Plans,
Continuity
of Operations
Plans,
Capacity
planning
is needed
because
different
types of threats
Crisis
Communications
Plans,
Critical
Infrastructure
Plans,
(e.g., natural disasters, targeted cyber attacks) can result in a
Cyber
Incident
Response
Plans,
Insidertelecommunications,
Threat Implementation
reduction
of the
available
processing,
and
Organizations
may
choose
to carry
out the contingency
Plan,
and
Occupant
Emergency
Plans.
support
originally
intended
to support the
planningservices
activities
in this control
enhancement
as part of
organizational
missions/business
functions.
Organizations
organizational
business
continuity
planning
including,
for may
Organizations
may degraded
choose tooperations
carry out the
contingency
need
to
anticipate
during
contingency
example,
as part ofinbusiness
impact
analyses. The
timeofperiod
planning
activities
this
control
enhancement
as part
operations
and of
factor
such
degradation
into capacity
planning.
for
resumption
essential
missions/business
functions
may be
organizational
business
continuity
planning
including, for
Organizations
may
choose
to
carry
out
the
contingency
dependent
on
the
severity/extent
of
disruptions
to
the
example,
as part ofinbusiness
impact
analyses. The
timeofperiod
planning
activities
thisits
control
enhancement
as part
information
system
and
supporting
infrastructure.
for
resumption business
of all missions/business
functions
may be
organizational
continuity
planning
including,
for
Organizations
may
choose
to carryof
out
the contingency
dependent
on
the
severity/extent
disruptions
to
the
example,
as
part
of
business
impact
analyses.
Primary
planning
activities
inand
thisits
control
enhancement
as part of
information
systemstorage
supporting
infrastructure.
processing
and/or
sites
defined
by organizations
as
organizational
business
continuity
planning
including,
for
When
the
capability planning
of an organization
to successfully
carry
out
part
of
contingency
may
change
depending
on
the
example,
as
part
of
business
impact
analyses.
Primary
its
core missions/business
functions
is dependent
on external
circumstances
associated
the
contingency
(e.g.,
backup
processing
and/or
storage with
sites
defined
by organizations
as
service
providers,
developing
a
timely
and
comprehensive
Organizations
may
choose
to
carry
out
the
contingency
sites
may
become
primary
sites).
part
of
contingency
planning
may
change
depending
on
the
contingency
plan may
become
more
challenging.
In
thisof
planning
activities
in this
control
enhancement
as
part
circumstances
associated
with the
contingency
(e.g.,
backup
situation,
organizations
coordinate
contingency
planning
organizational
business
continuity
planning including,
forto the
Contingency
training
provided
by
organizations
is
linked
sites
may
become
primary
sites).
activities
with
theofexternal
entities
toanalyses.
ensure that
the individual
example,
as
part
business
impact
Organizations
assigned
roles
and
responsibilities
of needs
organizational
personnel
plans
reflect
the
overall
contingency
ofthat
the additional
organization.
identify
critical
information
system
assets
to ensure
that the
appropriate
content
andso
level
of detail is
safeguards
and countermeasures
can be
employed
and
included in such
training. For example,
regular
users(above
may only
beyond
those
safeguards
and
countermeasures
routinely
need to know when and where to report for duty during
implemented)
to help ensure
organizational
contingency operations
and ifthat
normal
duties are affected;
missions/business
functions
can
continue
to betraining
conducted
system administrators may require additional
on how
during
contingency
operations.
In
addition,
the
identification
of
to set up information systems at alternate processing and
critical
information
assets
facilitates
the
prioritization
of
storage sites; and managers/senior leaders may receive more
organizational
resources.
information
system assets
specific training
on how toCritical
conduct
mission-essential
functions
include
technical
and
operational
aspects.
Technical
aspects
in designated off-site locations and how to establish
include,
for example,
technology
services,
communications
with information
other governmental
entities
for purposes
information
system
components,
information
technology
of coordination on contingency-related activities.
Training for
products,
androles/responsibilities
mechanisms. Operational
include,
for
contingency
reflectsaspects
the specific
continuity
example,
procedures
(manually
executed
operations)
and
Methods
for testing
requirements
in the contingency
contingency plans
plan. to determine the
personnel
(individuals
operating
technical
safeguards
and/or
effectiveness of the plans and to identify potential
weaknesses
executing
manual
procedures).
Organizational
program
in the plans include, for example, walk-through and tabletop
protection
plans can provide
assistance
in identifying
critical
exercises, checklists,
simulations
(parallel,
full interrupt),
and
assets.
comprehensive exercises. Organizations conduct testing based
on the continuity requirements in contingency plans and
include a determination of the effects on organizational
operations, assets, and individuals arising due to contingency
operations. Organizations have flexibility and discretion in the
breadth,
depth,
timelinesplans
of corrective
actions.
Plans related
to and
contingency
for organizational
information systems include, for example, Business Continuity
Plans, Disaster Recovery Plans, Continuity of Operations Plans,
Crisis Communications Plans, Critical Infrastructure Plans,
Cyber Incident Response Plans, and Occupant Emergency
Plans. This control enhancement does not require organizations
to create organizational elements to handle related plans or to
align such elements with specific plans. It does require,
however, that if such organizational elements are responsible
for related plans, organizations should coordinate with those
elements.

Automated mechanisms provide more thorough and effective


testing of contingency plans, for example: (i) by providing more
complete coverage of contingency issues; (ii) by selecting more
realistic test scenarios and environments; and (iii) by
effectively stressing the information system and supported
missions.
Alternate storage sites are sites that are geographically distinct
from primary storage sites. An alternate storage site maintains
duplicate copies of information and data in the event that the
primary storage site is not available. Items covered by
alternate storage site agreements include, for example,
environmental conditions at alternate sites, access rules,
physical and environmental protection requirements, and
Threats
that affect
alternate storage
sites are
typically
defined
coordination
of delivery/retrieval
of backup
media.
Alternate
in
organizational
assessments
of risk and
include, for plans
example,
storage
sites reflect
the requirements
in contingency
so
natural
disasters, structural
failures,
hostile
cyber attacks, and
that organizations
can maintain
essential
missions/business
errors
of omission/commission.
Organizations
determine
functions
despite disruption, compromise,
or failure
in what
is
considered ainformation
sufficient degree
of separation between primary
organizational
systems.
Area-wide
disruptions
refer based
to those
of disruptions
and alternate
storage sites
ontypes
the types
of threatsthat
that
are
broad
in
geographic
scope
(e.g.,
hurricane,
regional
power
are of concern. For one particular type of threat (i.e., hostile
outage)
with
such
determinations
by organizations
based
Alternate
processing
sites of
are
sitesmade
that between
are
geographically
cyber attack),
the degree
separation
sites is less
on
organizational
assessments
of
risk.
Explicit
mitigation
distinct
relevant.from primary processing sites. An alternate processing
actions
include,
for example:
(i) duplicating
backup
site provides
processing
capability
in the event
that information
the
at
other
alternate
storage
sites
if
access
problems
occur
primary processing site is not available. Items covered
byat
originally
designated site
alternate
sites; or
(ii) planning
for
alternate processing
agreements
include,
for example,
physical
access
to
retrieve
backup
information
if
electronic
environmental conditions at alternate sites, access rules,
accessibility
the alternateprotection
site is disrupted.
physical and to
environmental
requirements, and
coordination for the transfer/assignment of personnel.
Requirements are specifically allocated to alternate processing
sites
that
reflect
the
requirements
in contingency
plans to
Threats
that
affect
alternate
processing
sites are typically
maintain
essential
missions/business
functions
despite
defined in organizational assessments of risk and include, for
disruption,
compromise,
or failure
in organizational
information
example,
natural
disasters,
structural
failures,
hostile
cyber
Area-wide
disruptions
refer
to
those
types
of
disruptions
that
systems.
attacks,
and
errors
of
omission/commission.
Organizations
are broad in geographic scope (e.g., hurricane, regional power
determine
what
is determinations
considered a sufficient
degree
of separation
outage)
with
such
made
by
organizations
based
Priority-of-service
agreements
refer
to negotiated
agreements
between
primary
and
alternate
processing
sites
based
on the
on
organizational
assessments
of
risk.
with
providers
that
that
typesservice
of threats
that are
of ensure
concern.
Fororganizations
one particularreceive
type of
priority
treatment
consistent
with
their
availability
Site
preparation
includes,
for example,
establishing
threat
(i.e., hostile
cyber attack),
the degree
of separation
requirements
and
therelevant.
availability
of information
resources at
configuration
for information
system components
at
between sitessettings
is less
the
the alternate
alternate processing
processing site.
site consistent with the requirements
for such settings at the primary site and ensuring that essential
supplies and other logistical considerations are in place.
This control applies to telecommunications services (data and
voice) for primary and alternate processing and storage sites.
Alternate
telecommunications
services
reflect the continuity
Organizations
consider the potential
mission/business
impact in
requirements
in
contingency
plans
to
maintain
essential
situations where telecommunications service providers are
missions/business
functions despite
the loss
of primary
servicing other organizations
with similar
priority-of-service
telecommunications
services.
Organizations
may
specify
provisions.
different time periods for primary/alternate sites. Alternate
telecommunications services include, for example, additional
organizational or commercial ground-based circuits/lines or
satellites in lieu of ground-based communications.

Threats that affect telecommunications services are typically


defined in organizational assessments of risk and include, for
example,
disasters,
structural
Reviews ofnatural
provider
contingency
plansfailures,
considerhostile
the proprietary
cyber/physical
attacks,
and
errors
of
omission/commission.
nature of such plans. In some situations, a summary of provider
Organizations
seekmay
to reduce
common
susceptibilities
by, for
contingency plans
be sufficient
evidence
for organizations
example,
minimizing
shared
infrastructure
among
to satisfy the review requirement. Telecommunications service
telecommunications
service providers
anddisaster
achieving
sufficient
providers may also participate
in ongoing
recovery
geographic
separation
between
services.
Organizations
may
exercises in coordination with the Department of Homeland
consider
using
a
single
service
provider
in
situations
where
the
Security, state, and local governments. Organizations may use
service
provider
can
provide
alternate
telecommunications
these types of activities to satisfy evidentiary requirements
services
separation
needs addressed
in the
risk
related tomeeting
service the
provider
contingency
plan reviews,
testing,
assessment.
and training.
System-level information includes, for example, system-state
information, operating system and application software, and
licenses. User-level information includes any information other
than system-level information. Mechanisms employed by
organizations to protect the integrity of information system
backups include, for example, digital signatures and
cryptographic hashes. Protection of system backup information
while in transit is beyond the scope of this control. Information
system backups reflect the requirements in contingency plans
as well as other organizational requirements for backing up
information.

Critical information system software includes, for example,


operating systems, cryptographic key management systems,
and intrusion detection/prevention systems. Security-related
information includes, for example, organizational inventories of
hardware, software, and firmware components. Alternate
Information
backup
be transferred
to
storage sitessystem
typically
serveinformation
as separatecan
storage
facilities for
alternate
storage
sites
either
electronically
or
by
physical
organizations.
shipment of storage media.
Dual authorization ensures that the deletion or destruction of
backup information cannot occur unless two qualified
individuals
out the
task. Individuals
Recovery iscarry
executing
information
systemdeleting/destroying
contingency plan
backup
information
possess
sufficient
skills/expertise
to
activities to restore organizational missions/business functions.
determine
if the
proposed
of backup
Reconstitution
takes
place deletion/destruction
following recovery and
includes
information
reflects
organizational
policies
and
procedures.
activities for returning organizational information
systems to
Dual
authorization
may also
be known
as two-personoperations
control.
fully operational
states.
Recovery
and reconstitution
reflect mission and business priorities, recovery point/time and
reconstitution objectives, and established organizational
metrics consistent with contingency plan requirements.

Transaction-based information systems include, for example,


database management systems and transaction processing
systems. Mechanisms supporting transaction recovery include,
for example, transaction rollback and transaction journaling.
Restoration of information system components includes, for
example, reimaging which restores components to known,
operational states.
Protection of backup and restoration hardware, firmware, and
software components includes both physical and technical
safeguards.
andthe
restoration
software
includes,
for for
ContingencyBackup
plans and
associated
training
and testing
example,
router
tables,
compilers,
and
other
security-relevant
those plans, incorporate an alternate communications protocol
system
software.
capability
as part
of increasing
the resilience
of organizational
For information
systems
supporting
critical missions/business
information
systems.
Alternate
communications
protocols
functions including, for example, military operations
and
include,
for
example,
switching
from
Transmission
Control
weapons
systems,
civilian
space
operations,
nuclear
power
This
control supports
information
system
resiliency
and
Protocol/Internet
Protocol
(TCP/IP)
Version
4 to TCP/IP
Version 6.
plant
operations,
and
air
traffic
control
operations
(especially
contingency
planning/continuity
of operations.
Tosoftware
ensure
Switching
communications
protocols
may
affect
real-time
operational
environments),
organizations
may choose
mission/business
continuity,
organizations
can
implement
This
controlcertain
addresses
the establishment
of
policy
and
applications
and therefore,
the
potential
side
effects
of revert
to
identify
conditions
under
which
those
systems
alternative
or
supplemental
security
mechanisms.
These
procedures
for
the
effective
of selected
introducing
alternate
communications
protocols
are
analyzed
to
a predefined
safe
ofimplementation
operation.
The primary
safe
mode
of
mechanisms
may
bemode
less
effective
than the
security
controls
and
control
enhancements
in
the
IA
family.
prior
to
implementation.
operation,
which
can
be
activated
automatically
or
manually,
mechanisms
(e.g., not reflect
as easyapplicable
to use, not
as scalable,
or not as
Policy
and
procedures
federal
laws, Executive
restricts
the
types having
of activities
or operations
information
secure).
However,
the
capability
to
readily
employ
Orders,
directives,
regulations,
policies,
standards,
and
systems
could execute
when those
conditions
are encountered.
these
alternative/supplemental
mechanisms
enhances
overall
guidance.
Security
program
policies
and
procedures
at the
Restriction
includes,
for
example,
allowing
only
certain
mission/business
continuity
that
might
otherwise
be adversely
organization
level
may
the
need
for
system-specific
functions
that
could
be make
carried
out
under
limited
power oruntil
with
impacted
if
organizational
operations
had
to
be
curtailed
policies
and
procedures unnecessary.
The policy can be
reduced
communications
bandwidth.
the
primary
means
of implementing
the functions
was
restored.
included
as part
of the
general information
security
policy
for
Given
the
cost
and
level
of
effort
required
to
provide
such
organizations or conversely, can be represented by multiple
alternative
capabilities,
this control
would
typically
be applied
policies reflecting
the complex
nature
of certain
organizations.
only
to
critical
security
capabilities
provided
by
information
The procedures can be established for the security program in
systems,
system
components,
or information
system
services.
general and
for particular
information
systems,
if needed.
The
For
example,
an
organization
may
issue
to
senior
executives
organizational risk management strategy is a key factor in
and
system administrators
one-time pads in case multifactor
establishing
policy and procedures.
tokens, the organizations standard means for secure remote
authentication, is compromised.
Organizational users include employees or individuals that
organizations deem to have equivalent status of employees
(e.g., contractors, guest researchers). This control applies to all
accesses other than: (i) accesses that are explicitly identified
and documented in AC-14; and (ii) accesses that occur through
authorized use of group authenticators without individual
authentication. Organizations may require unique identification
of individuals in group accounts (e.g., shared privilege
accounts) or for detailed accountability of individual activity.
Organizations employ passwords, tokens, or biometrics to
authenticate user identities, or in the case multifactor
authentication, or some combination thereof. Access to
Requiring
individuals
to usesystems
individual
authenticators
aslocal
a
organizational
information
is defined
as either
second
level
of authentication
helps
organizations
to mitigate
access or
network
access. Local
access
is any access
to
the
risk
of
using
group
authenticators.
organizational information systems by users (or processes
acting on behalf of users) where such access is obtained by
direct connections without the use of networks. Network access
is access to organizational information systems by users (or
processes acting on behalf of users) where such access is
obtained through network connections (i.e., nonlocal accesses).

Authentication processes resist replay attacks if it is impractical


to achieve successful authentications by replaying previous
authentication
Replay-resistant
techniques
include,
Authentication messages.
processes resist
replay attacks
if it is impractical
for
example,
protocolsauthentications
that use noncesby
orrecording/replaying
challenges such as
to achieve
successful
Transport
Layer
Security
(TLS)
and
time
synchronous
or
previous
authentication
messages.
Single
sign-on
enables
users
to
log Replay-resistant
in once and gain techniques
access to
challenge-response
one-time
authenticators.
include,
example,system
protocols
that useOrganizations
nonces or challenges
multiple for
information
resources.
consider
such
as
Transport
Layer
Security
(TLS)
and
time
synchronous or
the
operational
efficiencies
provided
by
single
sign-on
For
remote access toone-time
privileged/non-privileged
accounts, the
challenge-response
authenticators.
capabilities
with
the
increased
risk
from
disclosures
of single
purpose of requiring a device that is separate from the
authenticators
providing
access
to multiple
system
resources.
information
gaining
access
for
one of
the factors
during
This control system
enhancement
applies
to
organizations
multifactor
authentication
is
to
reduce
the
likelihood
of
implementing logical access control systems (LACS) and
compromising
authentication
credentials
stored on
the system.
physical
access
control systems
(PACS).
Personal
Identity
Out-of-band
authentication
(OOBA)
refers
to the
use
of two
For
example,
adversaries
deploying
malicious
code
on
Verification
(PIV)
credentials
are
those
credentials
issued
by
separate
communication
paths
to identify
and authenticate
organizational
information
systems
can
potentially
compromise
federal
that
to FIPS
Publication
201
and(i.e.,
users
oragencies
devices
to
anconform
information
system.
The
first
path
Organizational
devices
requiring
unique
device-to-device
such
credentials
resident
on the system
and
subsequently
supporting
guidance
documents.
OMB
Memorandum
11-11
the
in-band path),
is used
to identify
authenticate
users
identification
and
authentication
mayand
be defined
by the
type,
by or
impersonate
authorized
users.
requires
federal
agencies
to continue
implementing
devices,
and
generally
is
the
path
through
which
information
device,
or by aspecified
combination
of type/device.
Information
A
localThe
connection
is any
connection
a device
requirements
in
HSPD-12
towith
enable
agency-wide
use
flows.
seconduse
path
(i.e.,
the out-of-band
path)
is used
to
systems
typically
either
shared
known
information
(e.g.,
communicating
without
the
use of a network.
Arequested
network
of
PIV credentials.
independently
verify
the
authentication
and/or
Media
Access
Control
[MAC]
orwith
Transmission
Control
connection
is
any
connection
a
device
that
communicates
action.
For example,
a user
authenticates
via for
a notebook
Protocol/Internet
Protocol
[TCP/IP]
addresses)
device
through
a
network
(e.g.,
local
area
or
wide
area
network,
computer
to aorremote
server toauthentication
which the usersolutions
desires access,
identification
organizational
Internet).
A remote
connection
any connection
with a (e.g.,
device
and
requests
some
action
ofAuthentication
theisleases
server
viaIP
that
communication
DHCP-enabled
clients
obtaining
for
addresses
from
IEEE
802.1x
and
Extensible
Protocol
[EAP],
communicating
through
an
external
network
(e.g.,
the
path.
Subsequently,
the server
contacts
the user
via the
DHCP
servers,
is a typical
example
of dynamic
address
Radius
server
with
EAP-Transport
Layer
Security
[TLS]
Internet).
Bidirectional
authentication
provides
stronger
users
cell
phone
to
verify
that
the
requested
action
allocation
for
authentication,
Kerberos)
to
identify/authenticate
devices
safeguards
todevices.
validate
theThe
identity
of other
devices
forthe on
originated
from
the
user.
userOrganizations
may
either
confirm
local
and/or
wide
area
networks.
determine
the
connections
thattoare
of
greater risk
(e.g.,
remote connections).
intended
action
anauthentication
individual
on the
telephone
orthe
provide
an
required strength
of
mechanisms
by
security
authentication
code
via
the
telephone.
This
type
of
categories of information systems. Because of the challenges
authentication
be employed
by organizations
to mitigate
of applying thiscan
control
on large scale,
organizations
are
actual
or
suspected
man-in
the-middle
attacks.
The
conditions
Device
attestation
the
identification
encouraged
to onlyrefers
applyto
the
control
to thoseand
limited
number
for
activation
can
for
example,
suspicious
activities,
authentication
of ainclude,
device
based
on its
and
(and
type) of devices
that truly
need
to configuration
support this
capability.
new
threat
indicators
orThis
elevated
levels, or via
the some
impact
known
operating
state.
mightthreat
be
determined
Common
device
identifiers
include,
for
example,
media
level or classification
level
of information
inattestation
requested isaccess
cryptographic
hash
of
the
device.
If
device
control
(MAC), Internet protocol (IP) addresses, or device-the
transactions.
means
identification
authentication,
then it isidentifiers
importantis
unique of
token
identifiers.and
Management
of individual
that
patches
and
updates
to
the
device
are
handled
via
a
not applicable to shared information system accounts (e.g.,
configuration
management
process
such
that
the
those
guest and anonymous accounts). Typically, individual identifiers
patches/updates
areofdone
securely andsystem
at the accounts
same time do
are the user names
the information
not
disrupt
identification
authentication
assigned
tothe
those
individuals.and
In such
instances, to
theother
account
devices.
management activities of AC-2 use account names provided by
IA-4. This control also addresses individual identifiers not
necessarily associated with information system accounts (e.g.,
identifiers used in physical security control databases accessed
by badge reader systems for access to information systems).
Preventing reuse of identifiers implies preventing the
assignment of previously used individual, group, role, or device
Prohibiting
the
use of information
account
identifiers
identifiers to
different
individuals, systems
groups, roles,
or devices.
that are the same as some public identifier such as the
individual identifier section of an electronic mail address,
makes it more difficult for adversaries to guess user identifiers
on organizational information systems.

Requiring multiple forms of identification, such as documentary


evidence or a combination of documents and biometrics,
reduces
the likelihood
of individuals
fraudulent
Characteristics
identifying
the statususing
of individuals
include, for
identification
to
establish
an
identity,
or
at
increases
example, contractors and foreign nationals.least
Identifying
thethe
work
factor
of
potential
adversaries.
status
of individuals
by specific
characteristics
provides which
In contrast
to conventional
approaches
to identification
additional
information
about
the people with
whom
presume static
accounts
for preregistered
users,
many
organizational
personnel
are
communicating.
For
example, it
distributed
information
systems
including,
for
example,
Cross-organization
identifier
management
provides
the
might
be
useful
for
a
government
employee
to
know
that one
service-oriented
architectures,
rely on establishing
identifiers
capability
for
organizations
to
appropriately
identify
individuals,
of
the
individuals
on
an
email
message
is
a
contractor.
at
run time
foror
entities
that
were
previouslycross-organization
unknown. In these
groups,
roles,
devices
when
conducting
In-person
registration
reduces
the
likelihood
of fraudulent
situations,
organizations
anticipate
and
provision
for the
activities
involving
the
processing,
storage,
or
transmission
of
identifiers
being
issued
because
it
requires
the
physical
dynamic
establishment
of
identifiers.
Preestablished
trust
information.
presence
of
individuals
and
actual
face-to-face
interactions
Individual
authenticators
include,
for
example, passwords,
relationships
and mechanisms
with
appropriate
authorities to
with
designated
registration
authorities.
tokens,
PKI related
certificates,
and key
cards.
Initial
validatebiometrics,
identities and
credentials
are
essential.
authenticator content is the actual content (e.g., the initial
password) as opposed to requirements about authenticator
content (e.g., minimum password length). In many cases,
developers ship information system components with factory
default authentication credentials to allow for initial installation
and configuration. Default authentication credentials are often
well known, easily discoverable, and present a significant
security risk. The requirement to protect individual
authenticators may be implemented via control PL-4 or PS-6 for
authenticators in the possession of individuals and by controls
AC-3, AC-6, and SC-28 for authenticators stored within
organizational information systems (e.g., passwords stored in
hashed or encrypted formats, files containing encrypted or
hashed passwords accessible with administrator privileges).
Information systems support individual authenticator
management by organization-defined settings and restrictions
for various authenticator characteristics including, for example,
minimum password length, password composition, validation
time window for time synchronous one-time tokens, and
number of allowed rejections during the verification stage of
biometric authentication. Specific actions that can be taken to
safeguard authenticators include, for example, maintaining
possession of individual authenticators, not loaning or sharing
individual authenticators with others, and reporting lost, stolen,
This
control enhancement
applies
to single-factor
or compromised
authenticators
immediately.
Authenticator
authentication
of individuals
passwordswhen
as individual
management includes
issuingusing
and revoking,
no longeror
group
authenticators,
and
in
a
similar
manner,
when
needed, authenticators for temporary access such aspasswords
that
are
part of
authenticators.
Thisauthenticators
control
required
formultifactor
remote maintenance.
Device
enhancement
does not
apply when
passwords
are used to
include, for example,
certificates
and
passwords.
unlock hardware authenticators (e.g., Personal Identity
Verification cards). The implementation of such password
mechanisms may not meet all of the requirements in the
enhancement. Cryptographically-protected passwords include,
for example, encrypted versions of passwords and one-way
cryptographic hashes of passwords. The number of changed
characters refers to the number of changes required with
respect to the total number of positions in the current
password. Password lifetime restrictions do not apply to
temporary passwords. To mitigate certain brute force attacks
against passwords, organizations may also consider salting
passwords.

Status information for certification paths includes, for example,


certificate revocation lists or certificate status protocol
responses. For PIV cards, validation of certifications involves
the construction and verification of a certification path to the
Common Policy Root trust anchor including certificate policy
processing.

This control enhancement focuses on the creation of strong


passwords and the characteristics of such passwords (e.g.,
complexity)
prior to use, the
enforcement
of which isfor
carried
This control enhancement
extends
the requirement
out
by
organizational
information
systems
in
IA-5
(1).
organizations to change default authenticators upon
information
system
installation,
by requiring
developers
and/or
For information
systems
containing
multiple security
categories
installers
to
provide
unique
authenticators
or
change
default
of information without reliable physical or logical separation
authenticators
for system
components
prior
to delivery
between
categories,
authenticators
used
to grant
accessand/or
to the
Organizations
exercise
caution
in does
determining
whether
installation.
However,
it
typically
not
apply
to
the security
systems
are
protected
commensurate
with
the
highest
embedded
or stored
authenticators
are ininformation
encrypted or
developers
commercial
category
of of
information
onoff-the-shelve
the systems.
unencrypted
form.
If
authenticators
are
used
inauthenticators
the manner
When
individuals
haveRequirements
accounts on multiple
information
technology
products.
for unique
stored,
then
those
representations
are
considered
unencrypted
systems,
there isinthe
risk that documents
the compromise
of one
can be included
acquisition
prepared
byaccount
authenticators.
This
is
irrespective
of
whether
that
may
lead
to
the
compromise
of
other
accounts
if
individuals
organizations
when
procuring
information
systems
or
system
Cross-organization
management
of credentials
provides
the
representation
is
perhaps
an
encrypted
version
of
something
use
the
same
authenticators.
Possible
alternatives
include,
components.
capability
for
organizations to appropriately authenticate for
else
(e.g.,
a
password).
example:
(i)groups,
having different
authenticators
on all systems;
(ii)
individuals,
roles,
or devices
conducting
crossAuthentication
requires
some
form
ofwhen
binding
between
an
employing
some
form
of
single
sign-on
mechanism;
or
(iii)
organization
activities
involving
the to
processing,
storage,
or In
identity
and
the
authenticator
used
confirm
identity.
including
some
form
of one-time
passwords
on the
all systems.
transmission
of
information.
conventional
approaches,
this binding typically
is established
Hardware token-based
authentication
refersby
to prethe use
provisioning
both
the
identity
and
the
authenticator
to
the
of PKI-based tokens, such as the U.S. Government Personal
information
system. (PIV)
For example,
the bindingdefine
between
a
Identity
Verification
card. Organizations
specific
Unlike
password-based
authentication
which
provides
exact is
username
(i.e.,
identity)
and
a
password
(i.e.,
authenticator)
requirements
for tokens,
such as working
a particular PKI.
matches
of user-input
passwords
storedwith
passwords,
accomplished
by provisioning
theto
identity
and
authenticator as
biometric
authentication
does notNew
provide
such exact matches.
a pair in the
information system.
authentication
Depending
upon
the
type
of
biometric
and
the typeand
of the
techniques allow the binding between the identity
collection
mechanism,
there is likely
to bean
some
divergence
authenticator
to be implemented
outside
information
from
the
presented
biometric
and
stored
biometric
which
system. For example, with smartcard credentials, the
identity
serves
as
the
basis
of
comparison.
There
will
likely
be
and the authenticator are bound together on the card.both
Using
Federal
Identity,
Credential,
and
Access
Management
false
and
false negatives
whencan
making
such (FICAM)thesepositives
credentials,
information
systems
authenticate
approved
pathThe
discovery
and
validation
andfalse
services
comparisons.
rate
which
the falseproducts
accept
and
identities that
have
notatbeen
pre-provisioned,
dynamically
are
those
products
and
services
that
have
been
approved
reject
rates
are
equal
is
known
as
the
crossover
rate.
Biometric
The
feedbackthe
from
information
systems does not
provide
provisioning
identity
after authentication.
In these
through
theorganizations
FICAM
conformance
applicable.
quality
requirements
include,
for program,
example,
acceptable
information
that
would
allow
individuals
to
situations,
can unauthorized
anticipate
thewhere
dynamic
crossover
rates,
as that essentially
reflects
the
accuracy
of
compromise
authentication
mechanisms.
For
some
types
ofthe
provisioning
of
identities.
Preestablished
trust
relationships
and
Authentication
mechanisms may be required within a
biometric.
information
systems
or
system
components,
for
example,
mechanisms
appropriate
authorities
to validate
identities
cryptographicwith
module
to authenticate
an operator
accessing
desktops/notebooks
with
relatively
large
monitors,
the
and
related
credentials
are
essential.
the module and to verify that the operator is authorizedthreat
to
(often
referred
to as shoulder
surfing)
may
be significant.
For
assume
the requested
role and
perform
services
within that
other
types
of
systems
or
components,
for
example,
mobile
role.
devices with 2-4 inch screens, this threat may be less
significant, and may need to be balanced against the increased
likelihood of typographic input errors due to the small

Non-organizational users include information system users


other than organizational users explicitly covered by IA-2.
These
individuals
are uniquely
identified
andaccess
authenticated
This control
enhancement
applies
to logical
control for
accesses
other than
those accesses
identified
and
systems (LACS)
and physical
access explicitly
control systems
(PACS).
documented
in
AC-14.
In
accordance
with
the
E-Authentication
Personal
Identity
Verification
(PIV) credentials
are those
This
control
enhancement
typically
applies
to organizational
E-Government
initiative,
authentication
of non-organizational
credentials
issued
by
federal
agencies
that
conform
to FIPS
information
systems
thatinformation
are accessible
to the
general
public,
users
accessing
federal
systems
may
be required
Publication
201
and
supporting
guidance
documents.
OMB are
for
example,
public-facing
websites.
Third-party
credentials
This
control
enhancement
typically
applies
to information
to
protect
federal,
proprietary,
or privacy-related
Memorandum
11-11
requires
federal
agencies
to information
continue
those
credentials
issued
by
nonfederal
government
entities
systems
that
are
accessible
to
the
general
public,
for
example,
(with
exceptions
noted
for
national
security
systems).
implementing
theFederal
requirements
specified
in HSPD-12
to enable
approved
by
the
Identity,
Credential,
and
Access
public-facing
websites.
FICAM-approved
information
system
Organizations
use
risk
assessments
to
determine
This
control
enhancement
addresses
open
identity
agency-wide
use
of
PIV
credentials.
Management
(FICAM)
Trust
Framework
Solutions
initiative. and
components
include,
example,
information
technology
authentication
needs for
and
consider
scalability,
practicality,
management
standards.
To
ensure
that
these
standards
are
Approved
third-party
credentials
meet
or
exceed
the for
set access
of
products
and
software
libraries
that
haveease
beenofapproved
by the
security
in
balancing
the
need to
ensure
use
viable,
robust,
reliable,
sustainable
(e.g.,
available
in
This
control
enhancement:
(i)
applies
to
logical
and
physical
minimum
federal
government-wide
technical,
security,
privacy,
Federal
Identity,
Credential,
and
Access
Management
to federal information
and
information
systemsand
with the need
commercial
information
technology
products),
access
control
systems;
and
(ii) addresses
Non-Federal
Issuers
and
organizational
maturity
requirements.
This
allows federal
conformance
program.
to
protect
and
adequately
mitigate
risk.
IA-2
addresses
interoperable
as documented,
the United
States Government
(NFIs)
of
identity
cards
that
desire
to
interoperate
with
United
government
relying
parties
to
trust
such
credentials
at
their
This
control
supports
service-oriented
architectures
and
other
identification
and
authentication
requirements
for access
to
assesses
and
scopes
identity
management
standards
and
States
Government
Personal
Identity
Verification
(PIV)
approved
assurance
levels.
distributed
architectural
approaches
requiring
the
identification
information
systems
by
organizational
users.
technology
implementations
information
systemsofand
thatagainst
can system
be applicable
trusted
by federal
federal
and
authentication
information
services.
In such
legislation,
directives,
policies,
and
requirements.
The
result
is
government-relying
parties.
The
X.509
certificate
policy
for the
architectures,
external
services
often
appear
dynamically.
FICAM-issued
implementation
profiles(FBCA)
of approved
protocols
Federal
Bridge
Certification
Authority
addresses
PIV-I
Therefore,
information
systems
shouldsuch
be able
to determine
(e.g.,
FICAM
authentication
protocols
as
SAML
2.0
and 4in
For
distributed
architectures
(e.g.,
service-oriented
requirements.
The
PIV-I
card
is
suitable
for
Assurance
Level
a
dynamic
if
providers
andas
associated
OpenID
2.0,manner,
wellMemorandum
asexternal
other protocols
such
theSpecial
FICAM
architectures),
the
decisions
regarding
the
as
defined
inas
OMB
04-04
andvalidation
NIST
services
are
authentic.
Safeguards
implemented
by of
Backend
Attribute
Exchange).
identification
and
authentication
claims
may
beprovider
made
by
Publication
800-63,
and multifactor
authentication
as defined
Adversaries
may
compromise
individual
authentication
organizational
information
systems
to
validate
and in
services
separate
from
the
services
acting
on
those
decisions.
NIST
Special
Publication
800-116.
PIV-I credentials
are or
those
mechanisms
and subsequently
toinformation
impersonate
service
authenticity
include,
forattempt
example,
code
In
such
situations,
it
is
necessary
to
provide
the
identification
credentials
issued
by
a
PIV-I
provider
whose
PIV-I
certificate
legitimate
users.
This
situation
can
potentially
occur
with
any
signing,
provenance
graphs,
and/or
electronic
signatures
In
addition
totothe
requirements
associated
and
authentication
decisions
(as opposed
to the actual
policy
maps
there-authentication
Federal
Bridge
PIV-I
Certificate
Policy. To
A PIV-I
authentication
mechanisms
employed
by
organizations.
indicating
or
including
the
sources
of
services.
with
session
locks,
organizations
require another
re-authentication
identifiers
authenticators)
to may
the
services
need
provider
is and
cross-certified
(directly
or through
PKIto act
address
this
threat,
organizations
may
employthat
specific
of
individuals
and/or
devices
in
other
situations
including,
forand
This
control
addresses
the
establishment
of
policy
and
on
those
decisions.
bridge)
with
the
FBCA
with
policies
that
have
been
mapped
techniques/mechanisms
and establish
protocols
to assess
example:
(i)
when
authenticators
change;
(ii),
when
roles
procedures
for
the effective
implementation
selected
approved
as
meeting
the requirements
of theofPIV-I
policies
suspicious
behavior
(e.g.,
individuals
accessing
information
change;
(iii)
when
security
categories
of information
systems
security
controls
and
control
enhancements
in
the
IR
family.
defined
in
the
FBCA
certificate
policy.
that
they(iv),
do not
typically
access as
part
of their
normal
duties,
change;
when
the
execution
of
privileged
functions
occurs;
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
roles,
or
responsibilities,
accessing
greater
quantities
of
(v)
after
a
fixed
period
of
time;
or
(vi)
periodically.
Orders,
directives,
regulations,
standards,
and or
information
than the
individualspolicies,
would routinely
access,
guidance.
Security
program
policies
and
procedures
at the
attempting to access information from suspicious network
organization
may
make the
need
for system-specific
addresses). Inlevel
these
situations
when
certain
preestablished
policies
and
procedures
unnecessary.
The
can beselected
conditions or triggers occur, organizations policy
can require
included
as
part
of
the
general
information
security
policy for
individuals to provide additional authentication information.
organizations
or
conversely,
can
be
represented
by
multiple
Another potential use for adaptive identification and
policies
reflecting
the
complex
nature
of certain
organizations.
authentication
is to
increase
the
strength
of mechanism
based
The
procedures
can
be
established
for
the
security
program in
on the number and/or types of records being accessed.
general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in
establishing policy and procedures.
Incident response training provided by organizations is linked
to the assigned roles and responsibilities of organizational
personnel to ensure the appropriate content and level of detail
is included in such training. For example, regular users may
only need to know who to call or how to recognize an incident
on the information system; system administrators may require
additional training on how to handle/remediate incidents; and
incident responders may receive more specific training on
forensics, reporting, system recovery, and restoration. Incident
response training includes user training in the identification
and reporting of suspicious activities, both from external and
internal sources.

Organizations test incident response capabilities to determine


the overall effectiveness of the capabilities and to identify
potential
weaknesses
or deficiencies.
Incident
response
testing
Organizations
use automated
mechanisms
to more
thoroughly
includes,
for example,
the use
of checklists,
walk-through
or
and effectively
test incident
response
capabilities,
for example:
tabletop
exercises,
simulations
(parallel/full
interrupt),
and
(i)
by providingplans
more related
complete
coverageresponse
of incident
response
Organizational
to incident
testing
comprehensive
exercises.
Incident
response
testing
can also
issues;
(ii)
by
selecting
more
realistic
test
scenarios
and
test
include,
example, Business
Continuity
Plans, Contingency
include
afor
determination
ofstressing
the effects
onresponse
organizational
environments;
and
(iii)
by
the
capability.
Plans,
Disaster
Recovery
Plans,
Continuity
of Operations
Organizations
recognize
that
response
capabilityPlans,
is
operations
(e.g.,
reduction
in incident
mission
capabilities),
Crisis
Communications
Plans,
Critical
Infrastructure
Plans,
and
dependent
on the
capabilities
of organizational
information
organizational
assets,
and individuals
due to incident
response.
Occupant
Emergency
Plans.
systems and
the mission/business
processes being supported
by those systems. Therefore, organizations consider incident
response as part of the definition, design, and development of
mission/business processes and information systems. Incidentrelated information can be obtained from a variety of sources
including, for example, audit monitoring, network monitoring,
physical access monitoring, user/administrator reports, and
reported
supply
chain events.
Effective
incident
handling
Automated
mechanisms
supporting
incident
handling
capability
coordination
amongincident
many organizational
processes includes
include, for
example, online
management
entities
including,
for
example,
mission/business
owners,
systems.
Dynamic
reconfiguration
includes,
for example,
information
system owners,
authorizing
officials,changes
human to
router
rules,
access
controland
lists,
intrusionsecurity
detection/prevention
resources
offices,
physical
personnel
offices, legal
system
parameters,
and
filter
rules
for
firewalls
and
gateways.
Classes
of incidents
include,
for example,
malfunctions
due
to
departments,
operations
personnel,
procurement
offices,
and
Organizations
perform
dynamic
reconfiguration
of
information
design/implementation
errors and omissions, targeted
the risk executive (function).
systems,
for
example,
to
stop attacks,
to misdirect
attackers,
malicious
attacks,
and
untargeted
malicious
attacks.
Sometimes
thecomponents
nature of a of
threat
event,
for limiting
example,
a hostile
and
to
isolate
systems,
thus
the
extent
Appropriate
incident
response
actions
include,
for by
example,
cyber
attack,
is
such
that
it
can
only
be
observed
bringing
of
the
damage
from
breaches
or
compromises.
Organizations
graceful
degradation,
information
system
shutdown,
back
together
information
from
differentthe
sources
includingfall
various
include
time
frames for
achieving
reconfiguration
of
to
manual
mode/alternative
technology
whereby
the
system
reports
and reporting
established
by organizations.
information
systems employing
inprocedures
the definition
of themeasures,
reconfiguration
operates differently,
deceptive
alternate
capability,
the address
potential
need that
for
rapid
response
While
manyconsidering
organizations
threat
incidents
as in
information
flows,
or operating
in ainsider
mode
is reserved
order
to
effectively
address
sophisticated
cyber
threats.
an
inherent
partsystems
of their organizational
incident response
solely
for when
are under attack.
capability,
this
control
enhancement
provides
additional
Incident handling for insider threat incidents (including
emphasis
on
this
type
of
threat
and
the
need
for
preparation, detection and analysis, containment,specific
eradication,
incident
handling
capabilities
(as defined within
organizations)
and
recovery)
requires
close
coordination
among
a
variety of
The
coordination
of incident
information
with external
to
provide
appropriate
and timely
responses.
organizational
components
or
elements
to
be
effective.
organizations including, for example, mission/business These
components
or elements include,
forcustomers,
example, and multitiered
partners,
military/coalition
partners,
This
control
enhancement
addresses
the
deployment
mission/business
owners,
information
system
owners,of
human
developers,
can
provide
significant
benefits.
Crossreplacement
or
new
capabilities
in
a
timely
manner
in
response
resources
offices,
procurement
personnel/physical
organizational
coordination
withoffices,
respect
to incident
handling
to
security
incidents
(e.g.,
adversary
actions
during
hostile
Organizations
involved
in supply
chain and
activities
include,
for
security
offices,
operations
personnel,
risk
executive
can
serve
as an
important
risk
management
capability.
This
cyber
attacks).
This
includes
capabilities
implemented
at
the
example,
system/product
developers,
integrators,
(function).
In
addition,
organizations
may
require
external
capability
allows organizations
to
leverage
critical
information
mission/business
process
level
(e.g.,
activating
alternative
manufacturers,
assemblers,
distributors,
vendors,
support
from federal,
state,
and
local
law
enforcement
Documenting
information
system
security
incidents
includes,
from
a variety
ofpackagers,
sources
to
effectively
respond
to information
mission/business
processes)
and
at
the
information
system
and
resellers.
Supply
chain
incidents
include,
for
example,
agencies.
for
example, maintaining
about
each incident,
the
security-related
incidents records
potentially
affecting
the
level.
compromises/breaches
involving
information
system
status
of
the
incident,
and
other
pertinent
information
organizations
operations,
assets,
and
individuals.
Automated
mechanisms for
tracking security
incidents
and
components,
technology
products,
development
necessary
for information
forensics,
evaluating
incident
details,
trends,
and
collecting/analyzing
incident
information
include,
for
example,
processes
or personnel,
and distribution
processes
ora variety
handling.
Incident
information
can
be
obtained
from
the
Einstein
monitoring
deviceboth
andspecific
monitoring
online
The
intent including,
ofnetwork
this control
is to address
incident
warehousing
facilities.
of
sources
for example,
incident
reports,
incident
Computer
Incident
Response
Centers
(CIRCs)
or
other
reporting
requirements
within an organization
and the formal
response
teams,
auditofmonitoring,
network monitoring,
electronic
databases
incidents.
incident
reporting
requirements
for
federal
agencies
and their
physical access monitoring, and user/administrator reports.
subordinate organizations. Suspected security incidents
include, for example, the receipt of suspicious email
communications that can potentially contain malicious code.
The types of security incidents reported, the content and
timeliness of the reports, and the designated reporting

Organizations involved in supply chain activities include, for


example, system/product developers, integrators,
manufacturers,
packagers,
assemblers,
distributors,
vendors,
Incident response
support resources
provided
by organizations
and
resellers.
Supply
chain
incidents
include,
for
example,
include, for example, help desks, assistance groups, and access
compromises/breaches
involving
information system
to
forensics mechanisms
services, when
required.
Automated
provide a
push and/or
pull
components,
informationcan
technology
products,
development
capability
for
users
to
obtain
incident
response
assistance.
For
processes or personnel, and distribution processes or
example,
individuals
might
have
access
to
a
website
to
query
External
providers
of information
system
protection
capability
warehousing
facilities.
Organizations
determine
the appropriate
the
assistance
capability,
or
conversely,
the
assistance
include,
for example,
the Computer
Defense
program
information
to share considering
theNetwork
value gained
from
support
capability
have the ability
to proactively
send
information
within
the may
U.S.
Department
of Defense.
External
providers
by external
organizations
with
the
potential
for
harm
due tohelp
to
users
(general
distribution
or targeted)
as part
of increasingof
to
protect,
monitor,
analyze,
detect,
and
respond
to
sensitive
information
being released
to outside
organizations
understanding
of
current
response
capabilities
and
support.
unauthorized
activity within
organizational information
systems
perhaps questionable
trustworthiness.
and networks.
It is important that organizations develop and implement a
coordinated approach to incident response. Organizational
missions, business functions, strategies, goals, and objectives
for incident response help to determine the structure of
incident response capabilities. As part of a comprehensive
incident response capability, organizations consider the
coordination and sharing of information with external
organizations, including, for example, external service
providers and organizations involved in the supply chain for
organizational information systems.

Information spillage refers to instances where either classified


or sensitive information is inadvertently placed on information
systems that are not authorized to process such information.
Such information spills often occur when information that is
initially thought to be of lower sensitivity is transmitted to an
information system and then is subsequently determined to be
of higher sensitivity. At that point, corrective action is required.
The nature of the organizational response is generally based
upon the degree of sensitivity of the spilled information (e.g.,
security category or classification level), the security
capabilities of the information system, the specific nature of
contaminated storage media, and the access authorizations
(e.g., security clearances) of individuals with authorized access
to the contaminated system. The methods used to
communicate information about the spill after the fact do not
involve methods directly associated with the actual spill to
minimize the risk of further spreading the contamination before
such contamination is isolated and eradicated.

Correction actions for information systems contaminated due to


information spillages may be very time-consuming. During
those
periods,
personnel
mayfor
not
have access
to the
Security
safeguards
include,
example,
making
personnel
contaminated
systems,
which
may
potentially
affect
their
exposed to spilled information aware of the federal laws,
ability
to conduct
organizational
business.
directives,
policies,
and/or
Having an integrated
teamregulations
for incidentregarding
response the
facilitates
information
and
the
restrictions
imposed
based
on exposure to
information sharing. Such capability allows
organizational
such
information.
personnel,
developers,
implementers,
and
operators,
This controlincluding
addresses
the establishment
of policy
and
to
leverage
the
team
knowledge
of
the
threat
in
order
to
procedures for the effective implementation of selected
implement
defensive
measures
that will enable
organizations
security controls
and control
enhancements
in the
MA family.
to
deter
intrusions
more
effectively.
Moreover,
it
promotes
the
Policy and procedures reflect applicable federal laws,
Executive
rapid
detection
of
intrusions,
development
of
appropriate
Orders, directives, regulations, policies, standards, and
mitigations,
and theprogram
deployment
of effective
defensive
guidance. Security
policies
and procedures
at the
measures.
For
example,
when
an
intrusion
is
detected,
the
organization level may make the need for system-specific
integrated
security
analysis
team
can
rapidly
develop
an
policies and procedures unnecessary. The policy can be
appropriate
response
operators
to implement,
correlate
the
included as part
of thefor
general
information
security
policy for
new
incident
with
information
on
past
intrusions,
and
augment
organizations or conversely, can be represented by multiple
ongoing
intelligence
This
the team to
policies reflecting
thedevelopment.
complex nature
ofenables
certain organizations.
identify
adversary
that are linked
to the
operations
tempo
The procedures
canTTPs
be established
for the
security
program
in
or
to
specific
missions/business
functions,
and
to
define
general and for particular information systems, if needed. The
responsive
actions
in a way that does
not is
disrupt
organizational
risk management
strategy
a key the
factor in
mission/business
operations.
Ideally,
information
security
establishing policy and procedures.
analysis teams are distributed within organizations to make the
capability more resilient.

This control addresses the information security aspects of the


information system maintenance program and applies to all
types of maintenance to any system component (including
applications) conducted by any local or nonlocal entity (e.g., incontract, warranty, in-house, software maintenance
agreement). System maintenance also includes those
components not directly associated with information processing
and/or data/information retention such as scanners, copiers,
and printers. Information necessary for creating effective
maintenance records includes, for example: (i) date and time of
maintenance; (ii) name of individuals or group performing the
maintenance; (iii) name of escort, if necessary; (iv) a
description of the maintenance performed; and (v) information
system components/equipment removed or replaced (including
identification numbers, if applicable). The level of detail
included in maintenance records can be informed by the
security categories of organizational information systems.
Organizations consider supply chain issues associated with
replacement components for information systems.

This control addresses security-related issues associated with


maintenance tools used specifically for diagnostic and repair
actions
organizational
information
systems.
Maintenance
If, upon on
inspection
of maintenance
tools,
organizations
tools
can
include
hardware,
software,
and
firmware
determine that the tools have been modified in an items.
Maintenance
tools are potential
vehicles
for
transporting
improper/unauthorized
manner
or
contain
malicious
code,
the
If,
upon inspection
of media
containing
maintenance
diagnostic
malicious
code,
either
intentionally
or
unintentionally,
intoand
a
incident
is
handled
consistent
with
organizational
policies
and
test
programs,
organizations
determine
that
the
media
facility
and subsequently
into organizational information
procedures
for incident
handling.
contain
code,tools
theincludes
incident
is handled
consistent
with
Organizational
information
all
information
specifically
systems.malicious
Maintenance
can include,
for example,
organizational
incident
handling
policies
and
procedures.
owned
by organizations
and information
provided
hardware/software
diagnostic
test equipment
and to
organizations
in which
organizations
serve
as information
hardware/software
packet
sniffers. This
control
does not cover
stewards.
hardware/software components that may support information
system maintenance, yet are a part of the system, for example,
the software implementing ping, ls,
ipconfig, or the hardware and software implementing
the monitoring port of an Ethernet switch.

This control enhancement applies to information systems that


are used to carry out maintenance functions.
Nonlocal maintenance and diagnostic activities are those
activities conducted by individuals communicating through a
network, either an external network (e.g., the Internet) or an
internal network. Local maintenance and diagnostic activities
are those activities carried out by individuals physically present
at the information system or information system component
and not communicating across a network connection.
Authentication techniques used in the establishment of
nonlocal maintenance and diagnostic sessions reflect the
network access requirements in IA-2. Typically, strong

Comparable security capability on information systems,


diagnostic tools, and equipment providing maintenance
services implies that the implemented security controls on
those systems, tools, and equipment are at least as
comprehensive as the controls on the information system being
serviced.

Notification may be performed by maintenance personnel.


Approval of nonlocal maintenance sessions is accomplished by
organizational personnel with sufficient information security
and information system knowledge to determine the
appropriateness of the proposed maintenance.

Remote disconnect verification ensures that remote


connections from nonlocal maintenance sessions have been
terminated
are no
longer available
for use.
This control and
applies
to individuals
performing
hardware or
software maintenance on organizational information systems,
while PE-2 addresses physical access for individuals whose
maintenance duties place them within the physical protection
perimeter of the systems (e.g., custodial staff, physical plant
maintenance personnel). Technical competence of supervising
individuals relates to the maintenance performed on the
information systems while having required access

This control enhancement denies individuals who lack


appropriate security clearances (i.e., individuals who do not
possess security clearances or possess security clearances at a
lower level than required) or who are not U.S. citizens, visual
and electronic access to any classified information, Controlled
Unclassified Information (CUI), or any other sensitive
information contained on organizational information systems.
Procedures for the use of maintenance personnel can be
documented in security plans for the information systems.

Personnel performing maintenance activities in other capacities


not directly related to the information system include, for
example,
physical
plant
andsystem
janitorial
personnel.that
Organizations
specify
thepersonnel
information
components
result in increased risk to organizational operations and assets,
individuals,
other organizations,
the Nation
when
Preventive maintenance
includesorproactive
care
andthe
servicing
functionality
provided
by
those
components
is
not
operational.
of organizational information systems components for the
Organizational
actions to
obtain maintenance
support
typically
purpose
ofmaintenance,
maintaining
equipment
and facilities
in satisfactory
Predictive
or condition-based
maintenance,
include
having
appropriate
contracts
in
place.
operating
condition.
maintenance
provides for
the
attempts to
evaluateSuch
the condition
of equipment
by performing
systematic
inspection,
tests,
measurements,
adjustments,
periodic
or continuous
(online)management
equipment condition
A
computerized
maintenance
maintains a
parts
replacement,
detection,
and maintenance
correctionsystem
of incipient
monitoring.
The
goal
of
predictive
is
to
perform
computer
database
ofthey
information
about
the
maintenance
failures
either
before
occur
or
before
they
develop
into
maintenance
at
a scheduledand
point
in time when
the
operations
ofaddresses
organizations
automates
processing
This
control
the
establishment
of
policy
and
major
defects.
The
primary
goal
of
preventive
maintenance
maintenance
activity data
is most
cost-effective
and
before the is
equipment
condition
in implementation
order
tooftrigger
maintenance
procedures
for
the
effective
of
selected
to
avoid/mitigate
the
consequences
equipment
failures.
equipment
loses performance
within a threshold. The
planning,
execution,
and
reporting.
security
controls
and
control
enhancements
in
the
MPrestore
family.
Preventive
maintenance
is
designed
to
preserve
and
predictive component of predictive maintenance stems
from
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
equipment
reliability
by
replacing
worn
components
before
the goal of predicting the future trend of the equipment's
Orders,
directives,
regulations,
policies, standards,
and
they
actually
Methods
of determining
preventive
(or
condition.
Thisfail.
approach
uses
principles
ofwhat
statistical
process
guidance.
Security
program
policies
and
procedures
at
the
other)
failure
management
policies
to
apply
include,
for
control to determine at what point in the future maintenance
organization
level
may make manufacturer
the
for system-specific
example,
original
equipment
(OEM)
activities will
be appropriate.
Mostneed
predictive
maintenance
policies
and
procedures
unnecessary.
The
policy
be
recommendations,
statistical
failure
records,
of
inspections are performed while equipment isrequirements
in can
service,
included
as part ofor
the
generalof
information
security
policy
for
codes,
regulations
within
jurisdiction,
expert
therebylegislation,
minimizing
disruption
normalasystem
operations.
organizations
or
conversely,
can
be
represented
by
multiple
opinion,
maintenance
that
has
already
been
conducted
on
Predictive maintenance can result in substantial cost savings
policies
reflecting
complex
nature
certain
organizations.
similar
equipment,
or measured
valuesofand
performance
and higher
systemthe
reliability.
Predictive
maintenance
tends to
The
procedures
can
be
established
for
the
security
program in
indications.
include measurement of the item. To evaluate equipment
general
and
for particular
information
systems,
if needed. The
condition,
predictive
maintenance
utilizes
nondestructive
organizational
risk management
strategy
is a key
factor in
testing technologies
such as infrared,
acoustic
(partial
establishing
policy
and
procedures.
discharge and airborne ultrasonic), corona detection, vibration

Information system media includes both digital and non-digital


media. Digital media includes, for example, diskettes, magnetic
tapes, external/removable hard disk drives, flash drives,
compact disks, and digital video disks. Non-digital media
includes, for example, paper and microfilm. Restricting nondigital media access includes, for example, denying access to
patient medical records in a community hospital unless the
The
term security
refers
the application/use
of
individuals
seekingmarking
access to
suchtorecords
are authorized
human-readable
security
attributes.
The to
term
security
labeling
healthcare providers.
Restricting
access
digital
media
refers
to the
application/use
of access
security
with regard
includes,
for example,
limiting
toattributes
design specifications
to
internal
data
structures
within
information
systems
(see ACstored on compact disks in the media library to the project
16).
Information
system media
includes
both digital
leader
and the individuals
on the
development
team.and nondigital media. Digital media includes, for example, diskettes,
magnetic tapes, external/removable hard disk drives, flash
Information
system
media
bothdisks.
digitalNon-digital
and non-digital
drives, compact
disks,
and includes
digital video
media.
Digital media
includes,paper
for example,
diskettes,
magnetic
media includes,
for example,
and microfilm.
Security
tapes,
external/removable
hard disk
drives,
marking
is generally not required
for drives,
media flash
containing
compact
disks,
and digital
disks. Non-digital
media
information
determined
byvideo
organizations
to be in the
public
includes,
paper
and microfilm.
Physically
domain orfor
to example,
be publicly
releasable.
However,
some
controlling
information
system
mediafor
includes,
for example,
organizations
may require
markings
public information
conducting
inventories,
ensuring
procedures
are in place
to of
indicating that
the information
is publicly
releasable.
Marking
allow
individuals
to check
and return
media
to thelaws,
media
information
system
media out
reflects
applicable
federal
library,
and
maintaining
accountability
for all stored
media.
Executive
Orders,
directives,
policies, regulations,
standards,
Secure
storage
includes,
for
example,
a
locked
drawer,
desk,
and
guidance.
Automated mechanisms can include, for example, keypads
onor
cabinet,
or a entries
controlled
mediastorage
library. areas.
The type of media
the external
to media
storage is commensurate with the security category and/or
Information
media includes
both on
digital
and non-digital
classificationsystem
of the information
residing
the media.
media.
Digital
media
includes,
for
example,
diskettes,
magnetic
Controlled areas are areas for which organizations provide
tapes,
external/removable
hard
disk
drives,
flash
drives,
sufficient physical and procedural safeguards to meet the
compact
disks,established
and digitalfor
video
disks. Non-digital
media
requirements
protecting
information
and/or
includes,
forsystems.
example,For
paper
andcontaining
microfilm.information
This control also
information
media
applies
to mobile
devices withtoinformation
storage
capability
determined
by organizations
be in the public
domain,
to be
(e.g.,
smart
phones,
tablets,
E-readers),
that
are
transported
publicly releasable, or to have limited or no adverse impact on
outside
of controlled
areas. Controlled
are areas
organizations
or individuals
if accessedareas
by other
than or
spaces
for which
organizations
provide sufficient
physicalIn
authorized
personnel,
fewer safeguards
may be needed.
and/or
procedural
safeguards
to
meet
the
requirements
these situations, physical access controls provide adequate
established
protection. for protecting information and/or information
systems. Physical and technical safeguards for media are
commensurate with the security category or classification of
the information residing on the media. Safeguards to protect
media during transport include, for example, locked containers
and cryptography. Cryptographic mechanisms can provide
confidentiality
and integrity
depending
upon points
the
Identified custodians
provideprotections
organizations
with specific
mechanisms
used.the
Activities
associated
with transport
include
of contact during
media transport
process
and facilitate
the
actual
transport
as
well
as
those
activities
such
as
releasing
individual accountability. Custodial responsibilities can be
media
for transport
ensuring
media
transferred
from oneand
individual
to that
another
as enters
long asthe
an
appropriate
transport
processes.
For
the
actual
unambiguous custodian is identified at all times.transport,
authorized transport and courier personnel may include
individuals from outside the organization (e.g., U.S. Postal
Service or a commercial transport or delivery service).

This control enhancement applies to both portable storage


devices (e.g., USB memory sticks, compact disks, digital video
disks,
external/removable
hard disk drives)
and
mobile
devices
This control
applies to all information
system
media,
both
with
storage
capability subject
(e.g., smart
phones,
E-readers).
digital
and non-digital,
to disposal
ortablets,
reuse, whether
or
not the media is considered removable. Examples include
media found in scanners, copiers, printers, notebook
computers, workstations, network components, and mobile
devices. The sanitization process removes information from the
media such that the information cannot be retrieved or
Organizations
and approve
media
to be sanitized
to
reconstructed.review
Sanitization
techniques,
including
clearing,
ensure
witherase,
records-retention
policies.
purging,compliance
cryptographic
and destruction,
prevent the
Tracking/documenting
actions
include,
forindividuals
example,
listing
disclosure
of information
to unauthorized
when
Testing of sanitization
equipment
and procedures
may
be such
personnel
who
reviewed
and
approved
sanitization
and
media
is reused
or released
for disposal.
Organizations
conducted
by qualified
and authorized
external
entities (e.g.,
disposal
actions,
types
of
media
sanitized,
specific
files stored
determine
the
appropriate
sanitization
methods
recognizing
other
federal
agencies
or
external
service
providers).
This
control
enhancement
applies
toused,
digital
media
on
media,
sanitization
methods
date
andcontaining
time
of the
thatthe
destruction
is sometimes
necessary
when
other
methods
classified
and Controlled
Unclassified
sanitization
actions,
who performed
theInformation
sanitization,
cannot beinformation
applied
topersonnel
media
requiring
sanitization.
(CUI).
Portable
storage
devices
theperformed
sourceof
ofapproved
malicious
verification
actions
taken,
personnel
who
the
Organizations
use
discretion
oncan
the be
employment
code
insertions
into
organizational
information
systems.
Many
verification,
and disposal
action
taken. Organizations
verify
that
sanitization techniques
and
procedures
for media containing
of
these
devices
are
obtained
from
unknown
and
the
sanitization
of
the
was
effective
prior
topotentially
disposal.
information
deemed
tomedia
be in the
public
domain
or
publicly
untrustworthy
sources and
mayno
contain
malicious
code that
releasable, or deemed
to have
adverse
impact on
can
be
readily
transferred
to
information
systems
through
USB
organizations or individuals if released for reuse or disposal.
ports
or
other
entry
portals.
While
scanning
such
storage
Sanitization of non-digital media includes, for example,
devices
is aalways
recommended,
sanitization
provides
removing
classified
appendix from
an otherwise
unclassified
additional
assurance
that
the
devices
are
free
of malicious
Organizations
employ dual
authorization
that a
document, or redacting
selected
sectionsto
orensure
words
from
code
to include
codemedia
capable
of initiating
zero-day
information
cannot
occurattacks.
unless
document
bysystem
obscuring
thesanitization
redacted
sections/words
in a two
Organizations
consider
nondestructive
sanitization
of portable
technically
qualified
individuals
conduct
the
task.
Individuals
manner
equivalent
in
effectiveness
to
removing
them
the
This
control
enhancement
protects
data/information
onfrom
storage
devices
when
such
devices
are
first
purchased
from
the
sanitizing
information
system
media
possess
sufficient
document.
NSAinformation
standards and
policies
control
the sanitization
organizational
systems,
system
components,
or
manufacturer
or
vendor
prior
to
initial
use
or
when
skills/expertise
to determine
ifclassified
proposed
sanitization
process
for media
containing
information.
devices
(e.g.,
mobile
devices)
ifthe
such
systems,
components,
Information
system
media
includes
both
digital
and
organizations
lose a
positive
chain
of
custody
for
thenon-digital
devices.or
reflects
applicable
federal/organizational
standards,
policies,
devices
are
obtained
by
unauthorized
individuals.
Remote
media.
Digital media
for example,
diskettes,
magnetic
and
procedures.
Dual includes,
authorization
also
helps
to ensure
purge/wipe
commands
require
strong
authentication
to that
tapes,
external/removable
hard
disk
drives,
flash
drives,
Requiring
identifiable
owners
(e.g.,
individuals,
organizations,
sanitization
occurs
intended,
both
protecting
against errors
mitigate
the
riskand
of as
unauthorized
individuals
purging/wiping
the
compact
disks,
digital
video
disks.
Non-digital
media
or
projects)
for
portable
storage
devices
reduces
the
risk
of
and
false
claims
of
having
performed
the
sanitization
actions.
system/component/device.
The
purge/wipe
function
can also
be
includes,
fortechnologies
example,
and
microfilm.
This control
using
such
by
allowing
organizations
to assign
Dual
authorization
maypaper
also
be
known
as two-person
control.
Sanitization-resistance
applies
to
the
capability
to
purge
implemented
in
a
variety
of
ways
including,
for
example,
by
applies
to mobile
devices
with information
storage
capability
responsibility
andmedia.
accountability
for addressing
known
information
from
Certain
types
of
media
do
not
support
overwriting
data/information
multiple
times
or
by
destroying
(e.g.,
smart phones,
tablets,
E-readers).
In contrast
to MP-2,
vulnerabilities
in the
devices
(e.g., malicious
code insertion).
sanitize
commands,
or
if supported,
interfaces
are
notthe
the
key
necessary
decrypt
data.
This
control
applies
all
information
system
media,
digital
and
which
restricts
usertoto
access
to encrypted
media,the
this
control
restricts
supported
in
a
standardized
way
across
these
devices.
non-digital,
subject
outside
of the organization,
use of certain
typesto
of release
media on
information
systems, for
Sanitization-resistant
media
include,
for removable.
example,
compact
whether
not the media
is considered
Theor
example,or
restricting/prohibiting
the use
of
flash drives
flash,
embedded
flash
on
boards
and
devices,
solid
state
downgrading
when
applied to system
media,
removes
external hard process,
disk drives.
Organizations
can employ
technical
drives,
and USB
information
fromremovable
the
media,media.
typically
by security
category
or of
and nontechnical
safeguards
(e.g., policies,
procedures,
rules
classification
level, such
thatofthe
information
cannot
be
behavior) to restrict
the use
information
system
media.
retrieved
or reconstructed.
Downgrading
of media
includes
Organizations
may restrict the
use of portable
storage
devices,
redacting
information
enablecages
wideron
release
and distribution.
for example,
by using to
physical
workstations
to
Downgrading
ofto
media
also
ensures
that or
empty
space on the
prohibit access
certain
external
ports,
disabling/removing
media
(e.g.,
space
files)
is devoid
of information.
the ability
toslack
insert,
read within
or write
to such
devices.
Organizations may also limit the use of portable storage
devices to only approved devices including, for example,
Organizations
canby
document
the media
downgrading
process
devices provided
the organization,
devices
provided
by
by
providing
information
such
as
the
downgrading
technique
other approved organizations, and devices that are not
employed,
the identification
number of the
downgraded
personally owned.
Finally, organizations
may
restrict the media,
use of
and
the
identity
of
the
individual
that
authorized
and/or
portable storage devices based on the type of device,
for
performed
the downgrading
example, prohibiting
the useaction.
of writeable, portable storage
devices, and implementing this restriction by disabling or
removing the capability to write to such devices.

Downgrading of classified information uses approved


sanitization tools, techniques, and procedures to transfer
information
unclassified from
classified
This control confirmed
addresses to
thebe
establishment
of policy
and
information
systems
to
unclassified
media.
procedures for the effective implementation of selected
security controls and control enhancements in the PE family.
Policy and procedures reflect applicable federal laws, Executive
Orders, directives, regulations, policies, standards, and
guidance. Security program policies and procedures at the
organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be
included as part of the general information security policy for
organizations or conversely, can be represented by multiple
policies reflecting the complex nature of certain organizations.
The procedures can be established for the security program in
general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in
establishing policy and procedures.
This control applies to organizational employees and visitors.
Individuals (e.g., employees, contractors, and others) with
permanent physical access authorization credentials are not
considered visitors. Authorization credentials include, for
example, badges, identification cards, and smart cards.
Organizations determine the strength of authorization
credentials needed (including level of forge-proof badges,
smart cards, or identification cards) consistent with federal
standards, policies, and procedures. This control only applies to
areas within facilities that have not been designated as publicly
accessible.

Acceptable forms of government photo identification include,


for example, passports, Personal Identity Verification (PIV)
cards,
licenses.
In the
case of gaining
access to
Due toand
the drivers
highly sensitive
nature
of classified
information
facilities
using
automated
mechanisms,
organizations
may use
stored within certain facilities, it is important that individuals
PIV
cards,
key
cards,
PINs,
and
biometrics.
lacking
sufficient
security
clearances,employees
access approvals,
or
This control
applies
to organizational
and visitors.
need
to
know,
be
escorted
by
individuals
with
appropriate
Individuals (e.g., employees, contractors, and others) with
credentials
to ensureaccess
that such
information
is not exposed
or
permanent physical
authorization
credentials
are not
otherwise
compromised.
considered visitors. Organizations determine the types of
facility guards needed including, for example, professional
physical security staff or other personnel such as
administrative staff or information system users. Physical
access devices include, for example, keys, locks, combinations,
and card readers. Safeguards for publicly accessible areas
within organizational facilities include, for example, cameras,
monitoring by guards, and isolating selected information
systems and/or system components in secured areas. Physical
access control systems comply with applicable federal laws,
Executive Orders, directives, policies, regulations, standards,
and guidance. The Federal Identity, Credential, and Access
Management Program provides implementation guidance for
identity, credential, and access management capabilities for

This control enhancement provides additional physical security


for those areas within facilities where there is a concentration
of
information determine
system components
server rooms,
Organizations
the extent,(e.g.,
frequency,
and/or media
storage
areas,
data
and
communications
centers).
randomness of security checks to adequately mitigate risk
associated with exfiltration.

Organizations may implement tamper detection/prevention at


selected hardware components or tamper detection at some
components and tamper prevention at other components.
Tamper detection/prevention activities can employ many types
of anti-tamper technologies including, for example, tamperPhysical
safeguards
applied
to information
system
detectionsecurity
seals and
anti-tamper
coatings.
Anti-tamper
distribution
andtotransmission
lines alterations
help to prevent
accidental
programs help
detect hardware
through
damage,
disruption,
and
physical
tampering.
In
addition,
Controlling
physical
access
to output
devices includes,
for
counterfeiting
and other
supply
chain-related
risks.
physical
may devices
be necessary
to help
prevent
example,safeguards
placing output
in locked
rooms
or other
eavesdropping
or inallowing
transit modification
of unencrypted
secured
areas
and
access
to authorized
individuals
Controlling
physical
access
to
selected
outputphysical
devices
includes,
transmissions.
Security
safeguards
to
control
access
to
only,
and
placing
output
devices
in
locations
that
can
be
for
example,
placing
printers,
copiers,
and
facsimile
machines
system
distribution
and transmission
lines
include,printers,
for
monitored
byareas
organizational
personnel.
Monitors,
in
controlled
with
keypad
access
controls
or limiting
example:
(i)
locked
wiring
closets;
(ii)
disconnected
or locked
copiers,
facsimile
machines,
and
audio devices
are
access
toscanners,
individuals
with
certain
types
of badges.
spare
jacks;
and/or
(iii)
protection
of
cabling
by
conduit
or cable
examples of information system output devices.
trays.
Controlling physical access to selected output devices includes,
for example, installing security functionality on printers,
copiers, and facsimile machines that allows organizations to
implement authentication (e.g., using a PIN or hardware token)
on output devices prior to the release of output to individuals.
Outputs devices include, for example, printers, monitors,
facsimile machines, scanners, copiers, and audio devices. This
control
enhancement
is response
generallycapabilities
applicable to
information
Organizational
incident
include
system
output
devices
other
than
mobiles
devices.
investigations of and responses to detected physical security
incidents. Security incidents include, for example, apparent
security violations or suspicious physical access activities.
Suspicious physical access activities include, for example: (i)
accesses outside of normal work hours; (ii) repeated accesses
to areas not normally accessed; (iii) accesses for unusual
lengths of time; and (iv) out-of-sequence accesses.

This control enhancement focuses on recording surveillance


video for purposes of subsequent review, if circumstances so
warrant
(e.g.,
a break-in detected
other means).
It doesfor
not
This control
enhancement
providesbyadditional
monitoring
require
monitoring
surveillance
video
although
organizations
those areas within facilities where there is a concentration of
may
choose system
to do so.
Note that there
be rooms,
legal media
information
components
(e.g.,may
server
considerations
when
performing
and
retaining
video
storage areas, communications centers).
surveillance, especially if such surveillance is in a public
Visitor
access records include, for example, names and
location.
organizations of persons visiting, visitor signatures, forms of
identification, dates of access, entry and departure times,
purposes of visits, and names and organizations of persons
visited. Visitor access records are not required for publicly
accessible areas.

Organizations determine the types of protection necessary for


power equipment and cabling employed at different locations
both
internal
and external
to organizational
and
Physically
separate,
redundant
power cablesfacilities
help to ensure
environments
of
operation.
This
includes,
for
example,
that power continues to flow in the event one of the cables is
generators
and power
cabling outside of buildings, internal
cut or otherwise
damaged.
cabling and uninterruptable power sources within an office or
data center, and power sources for self-contained entities such
This
control and
applies
primarily to facilities containing
as vehicles
satellites.
concentrations of information system resources including, for
example, data centers, server rooms, and mainframe computer
rooms.

This control enhancement can be satisfied, for example, by the


use of a secondary commercial power supply or other external
power supply. Long-term alternate power supplies for the
information system can be either manually or automatically
activated.

This control enhancement can be satisfied, for example, by the


use of one or more generators with sufficient capacity to meet
the needs of the organization. Long-term alternate power
supplies for organizational information systems are either
manually or automatically activated.

This control applies primarily to facilities containing


concentrations of information system resources including, for
example, data centers, server rooms, and mainframe computer
rooms.
This control applies primarily to facilities containing
concentrations of information system resources including, for
example,
data can
centers,
server
rooms,
and mainframe
computer
Organizations
identify
specific
personnel,
roles, and
rooms.
Fire
suppression
and
detection
devices/systems
include,
emergency responders in the event that individuals on the
for
example,list
sprinkler
systems,
handheld
fire extinguishers,
notification
must
have
appropriate
access
authorizations
Organizations
can
identify
specific
personnel,
roles,
and
fixed
fire
hoses,
and
smoke
detectors.
and/or
clearances,
for
example,
to
obtain
access
to facilities
emergency responders in the event that individuals
on the
where
classified
operations
are taking place
where there are
notification
list must
have appropriate
accessorauthorizations
information
systems
information.
and/or clearances,
forcontaining
example, classified
to obtain access
to facilities
where classified operations are taking place or where there are
information systems containing classified information.
This control applies primarily to facilities containing
concentrations of information system resources, for example,
data centers, server rooms, and mainframe computer rooms.

This control applies primarily to facilities containing


concentrations of information system resources including, for
example,
data
centers, server
rooms, for
andexample,
mainframe
computer
Automated
mechanisms
can include,
water
rooms.
Isolation
valves
can
be
employed
in
addition
to
or in
detection sensors, alarms, and notification systems.
lieu of master shutoff valves to shut off water supplies in
Effectively
enforcing
authorizations
for entry
and exit of
specific areas
of concern,
without affecting
entire
information
system
components
may
require
restricting access
organizations.
to
delivery
areas
and
possibly
isolating
the
areas
from the
Alternate work sites may include, for example, government
information
system
and
media
libraries.
facilities or private residences of employees. While commonly
distinct from alternative processing sites, alternate work sites
may provide readily available alternate locations as part of
contingency operations. Organizations may define different
sets of security controls for specific alternate work sites or
types of sites depending on the work-related activities
conducted at those sites. This control supports the contingency
planning activities of organizations and the federal telework
initiative.

Physical and environmental hazards include, for example,


flooding, fire, tornados, earthquakes, hurricanes, acts of
terrorism, vandalism, electromagnetic pulse, electrical
interference, and other forms of incoming electromagnetic
radiation. In addition, organizations consider the location of
Information
leakage
the intentional
or unintentional
release
physical entry
pointsiswhere
unauthorized
individuals, while
not
of
information
to
an
untrusted
environment
from
being granted access, might nonetheless be in close proximity
electromagnetic
signalsand
emanations.
or for
to information systems
therefore Security
increasecategories
the potential
classifications
of
information
systems
(with
respect
to
unauthorized access to organizational communications (e.g.,
confidentiality)
and
organizational
security
policies guide the
through
the use
of wireless
sniffers
microphones).
Asset
location
technologies
helpororganizations
ensure that
selection
of security
controlscan
employed
to protect systems
critical
such as
vehicles
orto
essential
information
system
againstassets
information
leakage
due
electromagnetic
signals
components
remain
in
authorized
locations.
Organizations
emanations.
consult with the Office of the General Counsel and the Senior
Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO)
regarding the deployment and use of asset location
technologies to address potential privacy concerns.
This control addresses the establishment of policy and
procedures for the effective implementation of selected
security controls and control enhancements in the PL family.
Policy and procedures reflect applicable federal laws, Executive
Orders, directives, regulations, policies, standards, and
guidance. Security program policies and procedures at the
organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be
included as part of the general information security policy for
organizations or conversely, can be represented by multiple
policies reflecting the complex nature of certain organizations.
The procedures can be established for the security program in
general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in
establishing policy and procedures.
Security plans relate security requirements to a set of security
controls and control enhancements. Security plans also
describe, at a high level, how the security controls and control
enhancements meet those security requirements, but do not
provide detailed, technical descriptions of the specific design or
implementation of the controls/enhancements. Security plans
contain sufficient information (including the specification of
parameter values for assignment and selection statements
either explicitly or by reference) to enable a design and
implementation that is unambiguously compliant with the
intent of the plans and subsequent determinations of risk to
organizational operations and assets, individuals, other
organizations, and the Nation if the plan is implemented as
intended. Organizations can also apply tailoring guidance to
the security control baselines in Appendix D and CNSS
Instruction 1253 to develop overlays for community-wide use
or to address specialized requirements, technologies, or
missions/environments of operation (e.g., DoD-tactical, Federal
Public Key Infrastructure, or Federal Identity, Credential, and
Access Management, space operations). Appendix I provides
guidance on developing overlays. Security plans need not be
single documents; the plans can be a collection of various

Security-related activities include, for example, security


assessments, audits, hardware and software maintenance,
patch management, and contingency plan testing. Advance
planning and coordination includes emergency and
nonemergency (i.e., planned or nonurgent unplanned)
This
controlThe
enhancement
applies
organizational
users.
situations.
process defined
by to
organizations
to plan
and
Organizations
consider
rules
of
behavior
based
on
individual
coordinate security-related activities can be included in
user
roles
and for
responsibilities,
differentiating,
example, as
security
plans
information systems
or otherfor
documents,
between
rules
that
apply
to
privileged
users
and
rules
that
appropriate.
apply to general users. Establishing rules of behavior for some
types of non-organizational users including, for example,
individuals who simply receive data/information from federal
information systems, is often not feasible given the large
number of such users and the limited nature of their
interactions with the systems. Rules of behavior for both
organizational and non-organizational users can also be
established in AC-8, System Use Notification. PL-4 b. (the
This
control
enhancement
addresses
rules
of behavior
signed
acknowledgment
portion
of this
control)
may berelated
to
the use
social
media/networking
sites: and
(i) when
satisfied
byofthe
security
awareness training
role-based
organizational
personnel
are
using
such
sites
for officialifduties
security training programs conducted by organizations
such
or
in theincludes
conduct rules
of official
business;
(ii) when organizational
training
of behavior.
Organizations
can use
information
is involved
social media/networking
transactions;
electronic signatures
forinacknowledging
rules of behavior.
and (iii) when personnel are accessing social media/networking
sites from organizational information systems. Organizations
The
may that
be included
the securityentities
plan for
also security
address CONOPS
specific rules
prevent in
unauthorized
the
systeminferring
or in other
system organizational
development life
frominformation
obtaining and/or
non-public
cycle-related
documents,
as appropriate.
Changes
to the
information (e.g.,
system account
information,
personally
CONOPS
are
reflected
in
ongoing
updates
to
the
security
plan,
identifiable information) from social media/networking sites.
the information security architecture, and other appropriate
organizational documents (e.g., security specifications for
procurements/acquisitions, system development life cycle
documents, and systems/security engineering documents).

This control addresses actions taken by organizations in the


design and development of information systems. The
information security architecture at the individual information
system level is consistent with and complements the more
global, organization-wide information security architecture
described in PM-7 that is integral to and developed as part of
the enterprise architecture. The information security
architecture includes an architectural description, the
placement/allocation of security functionality (including
security controls), security-related information for external
interfaces, information being exchanged across the interfaces,
and the protection mechanisms associated with each interface.
In addition, the security architecture can include other
important security-related information, for example, user roles
and access privileges assigned to each role, unique security
requirements, the types of information processed, stored, and
transmitted
bystrategically
the information
system,
restoration
priorities of
Organizations
allocate
security
safeguards
information
and
information
system
services,
and
any
otherso
(procedural, technical, or both) in the security architecture
specific
protection
needs.
In
todays
modern
architecture,
it
that adversaries have to overcome multiple safeguards to
is becoming
common
for organizations
to to
control
all
achieve
theirless
objective.
Requiring
adversaries
defeat
information
resources.
There
are
going
to
be
key
dependencies
multiple mechanisms makes it more difficult to successfully
on
external
information
services
and(i.e.,
service
providers.
attack
critical
information
resources
increases
adversary
Describing
such
dependencies
in
the
information
security The
work factor) and also increases the likelihood of detection.
architecture
is
to
developing
a comprehensive
Different
information
technology
products
have different
coordination
ofimportant
allocated
safeguards
is essential
to ensure that
mission/business
protection
strategy.
Establishing,
developing,
strengths
and weaknesses.
broad
spectrum
of
an attack that
involves one Providing
safeguardadoes
not
create
adverse
documenting,
and
maintaining
under
configuration
control,
a
products
complements
the
individual
offerings.
For
example,
unintended
consequences
(e.g.,
lockout,
cascading
alarms)
by
Central
management
refers
to the organization-wide
baseline
configuration
for
organizational
information
systems
is
vendors
offering
malicious
code
protection
typically
update
interfering
with
another
safeguard.
Placement
of
security
management
and implementation
of selected
security controls
critical
to
implementing
and
maintaining
an
effective
their
products
different
times,
often
developing
solutions
for
safeguards
is
aatkey
activity.
Greater
asset
criticality
orplanning,
and
related
processes.
Central
management
includes
This
control
addresses
the
establishment
of
policy
and
information
security
architecture.
The
development
of
the
known
viruses,
Trojans,
or
worms
according
to
their
priorities
information value
merits additional
layering.
Thus, an the
implementing,
assessing,
authorizing,
and monitoring
procedures
for
the
effective
implementation
of selected
information
security
architecture
isanti-virus
coordinated
with
the
and
development
schedules.
By
having
different
products
at
organization
may
choose
to
place
software
at Senior
organization-defined,
centrally
managedPrivacy
security
controls
and
security
controls
and
control
enhancements
in
the
PS
family.
Agency
Official
for
Privacy
(SAOP)/Chief
Officer
(CPO)
to
different
locations
(e.g.,
server,
boundary,
desktop)
there
is
an
organizational
boundary
layers,
email/web
servers,
notebook
processes.
As
centralcontrols
management
ofto
security
controls
is
Policy
and
procedures
reflect
applicable
federal
laws,
Executive
ensure
that
security
needed
support
privacy
increased
likelihood
that
least
one
will detect
the
malicious
computers,
and workstations
to maximize
the
number
of
generally
associated
withat
common
controls,
such
management
Orders,
directives,
regulations,
standards,
and PL-8
requirements
are identified
andpolicies,
effectively
implemented.
code.
related
safeguards
adversaries
must
penetrate
before
promotes
and
facilitates
standardization
ofinternally
security control
guidance.
Security
program
policies
and
at the
is
primarily
directed
at organizations
(i.e.,procedures
focused)
to
compromising
the
information
and
information
systems.
implementations
and
management
and
judicious
use
organization
levelorganizations
may make the
need for
help ensure that
develop
an system-specific
informationofsecurity
organizational
Centrally-managed
security
controls
policies
and procedures
unnecessary.
The
policy
can
architecture
forresources.
the information
system,
and
that
thebe
security
and
processes
may
also
meet
independence
requirements
for
included
as part
of the general
information
security
policy for
architecture
is integrated
with or
tightly coupled
to the
assessments
in
support
of
initial
and
ongoing
authorizations
organizations
or conversely,
canthe
be organization-wide
represented by multiple to
enterprise architecture
through
operate
as
part
of
organizational
continuous
monitoring.
As
policies
reflecting
thearchitecture.
complex nature
of certain
organizations.
information
security
In contrast,
SA-17
is primarily
part
of the
selection
process,
organizations
The
procedures
can control
be established
for
the security
program in
directed
at security
external
information
technology
product/system
determine
which
controls
may
be
suitable
for
central
general
andand
for particular
systems,
if needed.
developers
integratorsinformation
(although SA-17
could
be used The
management
based
on organizational
resources
organizational
risk
management
issystem
a keyand
factor in
internally within
organizations
forstrategy
in-house
capabilities.
Organizations
consider
that
it
may
not
always
establishing
policy
and
procedures.
development). SA-17, which is complementary to PL-8,
is be
possible
centrally
manage outsource
every aspect
a security control.
selected to
when
organizations
the of
development
of
In
such
cases,
the
security
control
is
treated
as
a hybrid control
information
systems
or
information
system
components
to
Position
designations
reflect
Office of Personnel
with
the risk
control
managed
and
either centrally or
external
entities,
and
there
is aimplemented
need
to designations
demonstrate/show
Management
policy
and
guidance.
Risk
can guide
at
the
information
system
level.
Controls
and
control
consistency
with
the organizations
enterprise
architecture
and
inform
the
types
of
authorizations
individuals
receive
when
enhancements
that
are candidates
for full or partial central
and information
security
architecture.
accessing
organizational
information
and
information
systems.
management include, but are not limited to: AC-2 (1) (2) (3)
Position
screening
criteria
include
security
(4); AC-17
(1) (2) (3)
(9); AC-18
(1)explicit
(3) (4) information
(5); AC-19 (4);
AC-22;
role
appointment
requirements
(e.g.,
training,
security
AC-23; AT-2 (1) (2); AT-3 (1) (2) (3); AT-4; AU-6 (1) (3) (5) (6) (9);
clearances).
AU-7 (1) (2); AU-11, AU-13, AU-16, CA-2 (1) (2) (3); CA-3 (1) (2)
(3); CA-7 (1); CA-9; CM-2 (1) (2); CM-3 (1) (4); CM-4; CM-6 (1);
CM-7 (4) (5); CM-8 (all); CM-9 (1); CM-10; CM-11; CP-7 (all); CP8 (all); SC-43; SI-2; SI-3; SI-7; and SI-8.

Personnel screening and rescreening activities reflect


applicable federal laws, Executive Orders, directives,
regulations, policies, standards, guidance, and specific criteria
established for the risk designations of assigned positions.
Organizations may define different rescreening conditions and
frequencies for personnel accessing information systems based
on types of information processed, stored, or transmitted by
the systems.
Types of classified information requiring formal indoctrination
include, for example, Special Access Program (SAP), Restricted
Data
(RD), and information
Sensitive Compartment
Information
(SCI).
Organizational
requiring special
protection
includes, for example, Controlled Unclassified Information (CUI)
and Sources and Methods Information (SAMI). Personnel
security criteria include, for example, position sensitivity
background screening requirements.
Information system-related property includes, for example,
hardware authentication tokens, system administration
technical manuals, keys, identification cards, and building
passes. Exit interviews ensure that terminated individuals
understand the security constraints imposed by being former
employees and that proper accountability is achieved for
information system-related property. Security topics of interest
at exit interviews can include, for example, reminding
terminated individuals of nondisclosure agreements and
potential limitations on future employment. Exit interviews may
not be possible for some terminated individuals, for example,
in cases related to job abandonment, illnesses, and
nonavailability of supervisors. Exit interviews are important for
individuals with security clearances. Timely execution of
termination actions is essential for individuals terminated for
cause. In certain situations, organizations consider disabling
the
informationconsult
systemwith
accounts
of individuals
that are
being
Organizations
the Office
of the General
Counsel
terminated
prior toofthe
individuals beingrequirements
notified.
regarding matters
post-employment
on
terminated individuals.

In organizations with a large number of employees, not all


personnel who need to know about termination actions receive
the
notificationsor,
if suchornotifications
Thisappropriate
control applies
when reassignments
transfers ofare
received,
they
may
not
occur
in
a
timely
manner.
Automated
individuals are permanent or of such extended durations
as to
mechanisms
can be
used to send
automaticdefine
alerts actions
or
make the actions
warranted.
Organizations
notifications
to specific
organizational
personnel
or roles (e.g.,
appropriate for
the types
of reassignments
or transfers,
management
personnel,
supervisors,
personnel
security
whether permanent or extended. Actions that may be required
officers,
information
security
officers, systems
administrators,
for personnel
transfers
or reassignments
to other
positions
or
information
technology
administrators)
when
individuals
are
within organizations include, for example: (i) returning old and
terminated.
Such
automatic
alerts
or
notifications
can
be
issuing new keys, identification cards, and building passes; (ii)

Access agreements include, for example, nondisclosure


agreements, acceptable use agreements, rules of behavior,
and conflict-of-interest agreements. Signed access agreements
include an acknowledgement that individuals have read,
understand, and agree to abide by the constraints associated
with organizational information systems to which access is
authorized. Organizations can use electronic signatures to
acknowledge access agreements unless specifically prohibited
by organizational policy.

Classified information requiring special protection includes, for


example, collateral information, Special Access Program (SAP)
information, and Sensitive Compartmented Information (SCI).
Personnel security criteria reflect applicable federal laws,
Executive Orders, directives, regulations, policies, standards,
and guidance.

Organizations consult with the Office of the General Counsel


regarding matters of post-employment requirements on
terminated individuals.

Third-party providers include, for example, service bureaus,


contractors, and other organizations providing information
system development, information technology services,
outsourced applications, and network and security
management. Organizations explicitly include personnel
security requirements in acquisition-related documents. Thirdparty providers may have personnel working at organizational
facilities with credentials, badges, or information system
privileges issued by organizations. Notifications of third-party
personnel changes ensure appropriate termination of privileges
and credentials. Organizations define the transfers and
terminations deemed reportable by security-related
characteristics that include, for example, functions, roles, and
nature of credentials/privileges associated with individuals
transferred or terminated.

Organizational sanctions processes reflect applicable federal


laws, Executive Orders, directives, regulations, policies,
standards, and guidance. Sanctions processes are described in
access agreements and can be included as part of general
personnel policies and procedures for organizations.
Organizations consult with the Office of the General Counsel
regarding matters of employee sanctions.
This control addresses the establishment of policy and
procedures for the effective implementation of selected
security controls and control enhancements in the RA family.
Policy and procedures reflect applicable federal laws, Executive
Orders, directives, regulations, policies, standards, and
guidance. Security program policies and procedures at the
organization level may make the need for system-specific
policies and procedures unnecessary. The policy can be
included as part of the general information security policy for
organizations or conversely, can be represented by multiple
policies reflecting the complex nature of certain organizations.
The procedures can be established for the security program in
general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in
establishing policy and procedures.
Clearly defined authorization boundaries are a prerequisite for
effective security categorization decisions. Security categories
describe the potential adverse impacts to organizational
operations, organizational assets, and individuals if
organizational information and information systems are
comprised through a loss of confidentiality, integrity, or
availability. Organizations conduct the security categorization
process as an organization-wide activity with the involvement
of chief information officers, senior information security
officers,
information
system owners,
mission/business
owners,
Clearly defined
authorization
boundaries
are a prerequisite
for
and
information
owners/stewards.
Organizations
also
consider
effective risk assessments. Risk assessments take into account
the
potential
adverse impacts
to other
organizations
and, in
threats,
vulnerabilities,
likelihood,
and impact
to organizational
accordance
with
the
USA
PATRIOT
Act
of
2001
and
Homeland
operations and assets, individuals, other organizations, and the
Security
Presidential
Directives,and
potential
Nation based
on the operation
use of national-level
information systems.
adverse
impacts.
Security
categorization
processes
carried out
Risk assessments also take into account risk
from external
by
organizations
facilitate
the
development
of
inventories
of
parties (e.g., service providers, contractors operating
information
assets,
and
along
with
CM-8,
mappings
to
specific
information systems on behalf of the organization, individuals
information
system components
where
information
is
accessing organizational
information
systems,
outsourcing
processed,
stored,
or
transmitted.
entities). In accordance with OMB policy and related Eauthentication initiatives, authentication of public users
accessing federal information systems may also be required to
protect nonpublic or privacy-related information. As such,
organizational assessments of risk also address public access
to federal information systems. Risk assessments (either formal
or informal) can be conducted at all three tiers in the risk
management hierarchy (i.e., organization level,
mission/business process level, or information system level)
and at any phase in the system development life cycle. Risk
assessments can also be conducted at various steps in the Risk

Security categorization of information systems guides the


frequency and comprehensiveness of vulnerability scans.
Organizations determine the required vulnerability scanning for
all information system components, ensuring that potential
sources of vulnerabilities such as networked printers, scanners,
and copiers are not overlooked. Vulnerability analyses for
custom software applications may require additional
approaches such as static analysis, dynamic analysis, binary
analysis, or a hybrid of the three approaches. Organizations
can employ these analysis approaches in a variety of tools
(e.g., web-based application scanners, static analysis tools,
binary analyzers) and in source code reviews. Vulnerability
scanning includes, for example: (i) scanning for patch levels;
(ii) scanning for functions, ports, protocols, and services that
should not be accessible to users or devices; and (iii) scanning
for improperly configured or incorrectly operating information
flow control mechanisms. Organizations consider using tools
that express vulnerabilities in the Common Vulnerabilities and
Exposures (CVE) naming convention and that use the Open
Vulnerability Assessment Language (OVAL) to determine/test
for the presence of vulnerabilities. Suggested sources for
The
vulnerabilities
to be scanned
need
to be readily
updated as
vulnerability
information
include the
Common
Weakness
new
vulnerabilities
discovered,
announced,
and scanning
Enumeration
(CWE)are
listing
and the National
Vulnerability
methods
This updating
process
helps
to ensuresuch
that
Databasedeveloped.
(NVD). In addition,
security
control
assessments
potential
vulnerabilities
in
the
information
system
are
identified
as red team exercises provide other sources of potential
and
addressedfor
as which
quicklytoas
possible.
vulnerabilities
scan.
Organizations also consider
using tools that express vulnerability impact by the Common
Vulnerability Scoring System (CVSS).
Discoverable information includes information that adversaries
could obtain without directly compromising or breaching the
information
system, for
collecting
information
the
In certain situations,
theexample,
nature ofby
the
vulnerability
scanning
system
is
exposing
or
by
conducting
extensive
searches
of
the
may be more intrusive or the information system component
web.
Corrective
actions
can
include,
for
example,
notifying
that is the subject of the scanning may contain highly sensitive
appropriate
personnel,
removing
designated
information. organizational
Privileged access
authorization
to selected
system
information,
or
changing
the
information
system
to
make
components facilitates more thorough vulnerability scanning
designated
information
less relevant
to
and also protects
the sensitive
natureorofattractive
such scanning.
adversaries.

Technical surveillance countermeasures surveys are performed


by qualified personnel to detect the presence of technical
surveillance
devices/hazards
and to identify
technical
This control addresses
the establishment
of policy
andsecurity
weaknesses
that
could
aid
in
the
conduct
of
technical
procedures for the effective implementation of selected
penetrations
of surveyed
facilities.
Such surveys
provide
security controls
and control
enhancements
in the
SA family.
evaluations
of
the
technical
security
postures
of
organizations
Policy and procedures reflect applicable federal laws, Executive
and
facilities
and typically
include
thorough
visual, and
electronic,
Orders,
directives,
regulations,
policies,
standards,
and
physical
examinations
in
and
about
surveyed
facilities.
guidance. Security program policies and procedures at the The
surveys
also level
provide
useful
input
into risk
and
organization
may
make
the need
for assessments
system-specific
organizational
exposure
to
potential
adversaries.
policies and procedures unnecessary. The policy can be

Resource allocation for information security includes funding


for the initial information system or information system service
acquisition and funding for the sustainment of the
system/service.

A well-defined system development life cycle provides the


foundation for the successful development, implementation,
and operation of organizational information systems. To apply
the required security controls within the system development
life cycle requires a basic understanding of information
security, threats, vulnerabilities, adverse impacts, and risk to
critical missions/business functions. The security engineering
principles in SA-8 cannot be properly applied if individuals that
design, code, and test information systems and system
components (including information technology products) do not
understand security. Therefore, organizations include qualified
personnel, for example, chief information security officers,
Information
system security
components
are discrete,
identifiable
security architects,
engineers,
and information
system
information
technology
assets
(e.g., hardware,
software,
or to
security officers
in system
development
life cycle
activities
firmware)
that
represent
the
building
blocks
of
an
information
ensure that security requirements are incorporated into
system.
Information
systemsystems.
components
includeimportant
commercial
organizational
information
It is equally
that
information
technology
products.
Security
functional
developers include individuals on the development team that
requirements
include security
security expertise
capabilities,
possess the requisite
andsecurity
skills tofunctions,
ensure
and
mechanisms.
Security
requirements
that security
needed security
capabilities
arestrength
effectively
integrated into
associated
with system.
such capabilities,
functions, and
the information
Security awareness
and mechanisms
training
include
degree
of
correctness,
completeness,
resistance
to
programs can help ensure that individuals having
key security
direct
attack,
and
resistance
to
tampering
or
bypass.
Security
roles and responsibilities have the appropriate experience,
assurance
requirements
include:assigned
(i) development
processes,
skills, and expertise
to conduct
system development
procedures,
practices,
and
methodologies;
and
(ii)
evidence
life cycle activities. The effective integration of security
from
development
and
assessment
activities
providing
grounds
requirements into enterprise architecture also helps to ensure
for
confidence
that
the
required
security
functionality
has
that important security considerations are addressed earlybeen
in
implemented
and
the
required
security
strength
has
been
the system development life cycle and that those
achieved.
Security
documentation
requirements
address all
considerations
are directly
related to
the organizational
phases
of
the
system
development
life
cycle.
Security
mission/business processes. This process also facilitates the
functionality,
and documentation
requirements
integration of assurance,
the information
security architecture
into theare
expressed
in
terms
of
security
controls
and
control
enterprise architecture, consistent with organizational risk
enhancements
that
have beensecurity
selectedstrategies.
through the tailoring
management and
information
process. The security control tailoring process includes, for
example, the specification of parameter values through the use

Functional properties of security controls describe the


functionality (i.e., security capability, functions, or
mechanisms)
at the different
interfaces
of the
Organizations visible
may require
levels
ofcontrols
detail inand
design
specifically
exclude
functionality
and
data
structures
internal to
and implementation documentation for security controls
the
operationorganizational
of the controls.
employed
information
systems,
Following ainwell-defined
system
development
lifesystem
cycle that
components,
or
information
system
services
based
includes state-of-the-practice software developmenton
methods,
mission/business
requirements,
requirements
systems/security engineering
methods,
qualityfor
control
trustworthiness/resiliency,
and requirements
for analysis
and
processes, and testing, evaluation,
and validation
techniques
testing.
Information
systems
can
be
partitioned
into
multiple
helps to reduce the number and severity of latent errors within
Security
configurations
include,
for example,
the
U.S.contain
subsystems.
Each subsystem
within
the system
can
information
systems,
system
components,
and
information
Government
Configuration
Baseline
(USGCB)
and
one
or more
modules.
The high-level
design for
the
system
is
system
services.
Reducing
the
number/severity
ofany
such
errors
limitations
on
functions,
ports,
protocols,
and
services.
Security
expressed
in
terms
of
multiple
subsystems
and
the
interfaces
reduces the number of vulnerabilities in those systems,
characteristics
include,
for example,
requiring that
all default
between
subsystems
providing
security-relevant
functionality.
components,
and
services.
passwords
have
beenfor
changed.
The low-level
design
the system is expressed in terms of
modules with particular emphasis on software and firmware
(but not excluding hardware) and the interfaces between
COTS
IA or
IA-enabled
information technology
products
used
to
modules
providing
security-relevant
functionality.
Source
code
protect
classified
information
cryptographic
may be
and hardware
schematics
are by
typically
referred means
to as the
required
to use NSA-approved
management.
implementation
representationkey
of the
information system.

The objective of continuous monitoring plans is to determine if


the complete set of planned, required, and deployed security
controls
within theofinformation
system,
system component,
The identification
functions, ports,
protocols,
and servicesor
information
system
service
continue
to
be
effective
overthe
time
early in the system development life cycle (e.g., during
based
on the inevitable
changes
occur.
Developer
initial requirements
definition
andthat
design
phases)
allows
continuous
monitoring
plans
include
a
sufficient
level of detail
organizations to influence the design of the information
such
thatinformation
the information
can
be incorporated
into the system
system,
system
component,
or information
This
control
helps
organizational
personnel
understand
the
continuous
monitoring
strategies
and
programs
implemented
service. This early involvement in the life cycle helps
implementation
operation
of security
associated
by
organizations.
organizations
to and
avoid
or minimize
the usecontrols
of functions,
ports,
with
information
systems,
system
components,
and
information
protocols, or services that pose unnecessarily high risks
and
system
services.
Organizations
consider
establishing
understand
the trade-offs
involved
in blocking
specificspecific
ports,
measures
quality/completeness
of the
content
protocols, to
or determine
services (orthe
when
requiring information
system
provided.
The
inability
to
obtain
needed
documentation
may
service providers to do so). Early identification of functions,
occur,
for example,
to theavoids
age ofcostly
the information
ports, protocols,
anddue
services
retrofitting of
system/component
or
lack
of
support
developers
security controls after the informationfrom
system,
system and
contractors.
In
those
situations,
organizations
may
component, or information system service has beenneed to
recreate
selected
documentation
if such documentation
implemented.
SA-9
describes requirements
for external is
essential
to system
the effective
implementation
or operation
of
information
services
with organizations
identifying
security
controls.
The
level
of
protection
provided
for
selected
which functions, ports, protocols, and services are provided
information
system,
component, or service documentation is
from external
sources.
commensurate with the security category or classification of
the system. For example, documentation associated with a key
DoD weapons system or command and control system would
typically require a higher level of protection than a routine

Organizations apply security engineering principles primarily to


new development information systems or systems undergoing
major
upgrades.
For legacy
apply
External
information
systemsystems,
services organizations
are services that
are
security
engineering
principles
to
system
upgrades
and
implemented outside of the authorization boundaries of
modifications
the extentsystems.
feasible, This
given
the current
statethat
of
organizationalto
information
includes
services
hardware,
software,
and
firmware
within
those
systems.
are used by, but not a part of, organizational information
Security
principles
for example:
(i)
systems.engineering
FISMA and OMB
policyinclude,
require that
organizations
developing
layered
protections;
(ii)
establishing
sound
security
using external service providers that are processing, storing,
or
policy,
architecture,
and
controls
as
the
foundation
for
design;
transmitting federal information or operating information
(iii)
incorporating
requirements
into the
system
systems
on behalfsecurity
of the federal
government
ensure
that such
development
life
cycle;
(iv)
delineating
physical
and
providers meet the same security requirements that logical
federal
security
boundaries;
ensuring
that system establish
developers are
agencies
are
required(v)
to
meet. Organizations
Dedicated
information
security
services include,
for example,
trained
on
how
to
build
secure
software;
(vi)
tailoring
security
relationships
with
external
service
providers
in
a
variety
of
incident
monitoring,
analysis
and
response,
operation
of(vii)
controls
to meetfor
organizational
and operational
needs;
ways
including,
example,
through
joint
ventures,
business
information
security-related
devices
such
firewalls,
or key
performing
threat
modeling
to
identify
useascases,
threat
partnerships,
contracts,
interagency
agreements,
lines of
management
services.
agents,
vectors, and
attackagreements,
patterns as well
businessattack
arrangements,
licensing
and as
supply
compensating
controls
and
design
patterns
needed
to mitigate
chain exchanges. The responsibility for managing risks
from
risk;
and
(viii)
reducing
risk
to
acceptable
levels,
thus
enabling
the use of external information system services remains with
informed
risk
management
decisions.
authorizing
officials.
For services
external to organizations, a
chain of trust requires that organizations establish and retain a
level of confidence that each participating provider in the
potentially complex consumer-provider relationship provides
adequate protection for the services rendered. The extent and
nature of this chain of trust varies based on the relationships

Information from external service providers regarding the


specific functions, ports, protocols, and services used in the
provision
of of
such
services that
can be
useful
when the
The degree
confidence
theparticularly
risk from using
external
need
arises
understand
trade-offs
involved
in restricting
services
is attoan
acceptablethe
level
depends
on the trust
that
certain
functions/services
or
blocking
certain
ports/protocols.
organizations
place
in
the
external
providers,
individually
or in
As organizations increasingly use external service providers,
combination.
Trust
relationships
can
help
organization
to
gain
the possibility exists that the interests of the service providers
increased
levels
oforganizational
confidence that
participating
service
may
diverge
from
interests.
In such
situations,
The
location
of
information
processing,
information/data
providers
are
providing
adequate
protection
for
the
services
simply
having
the correct
technical,
procedural,
or
operational
storage,
or
information
system
services
that
are
critical
rendered.
Such
relationships
cansufficient
be complicated
due to to
the
safeguards
in can
place
maya not
be
ifthe
theability
service
organizations
have
direct
impact
on
of those
This
control
also
applies
to
organizations
conducting
internal
number
of
potential
entities
participating
in
the
consumerproviders
thatto
implement
andexecute
control their
thosemissions/business
safeguards are not
organizations
successfully
information
systems
development
and the
integration.
provider
interactions,
subordinate
relationships
and of
levels
of
operating
in
a
manner
consistent
with
interests
the
functions.
Thistypes
situation
exists
when
external
providers
control
Organizations
consider
the
quality
and
completeness
of
the
trust,
and
the
of
interactions
between
the
parties.
In
consuming
organizations.
Possible
actions
that The
organizations
the
location
of
processing,
storage
or conducted
services.
criteria
configuration
management
activities
by
developers
some
cases,
the
degree
of
trust
is
based
on
the
amount
of
might
take
to
address
such
concerns
include,
for
example,
external
providers
use
for
the
selection
of
processing,
storage,
as
evidence
of
applying
effective
security
safeguards.
direct
control
organizations
are
able
to
exert
on
external
requiring
background
checks
for selected
provider
or
service
locations
may
be different
from service
organizational
Safeguards
include,
forownership
example,
protecting
from
unauthorized
service
providers
with
regard
to employment
of security
personnel,
examining
records,
employing
onlythat
criteria.
For
example,
organizations
may
want
to
modification
or destruction,
the
master
of ensure
all
material
controls
necessary
for
the protection
of copies
the
service/information
trustworthy
service
providers
(i.e.,
providers
with
which
data/information
storage
locations
are
restricted
certain
used
to generate
security-relevant
portions
of and
thetosystem
and
the
evidence
brought
forth as
to
the
effectiveness
of those
organizations
have
had
positive
experiences),
conducting
locations
to
facilitate
incident
response
activities
(e.g.,
hardware,
software,
firmware.
Maintaining
the integrity
controls.
The
level ofand
control
typically
established
by forensic
the of
periodic/unscheduled
visits
toisservice
provider
facilities.
analyses,
after-the-fact
investigations)
in
case
of
information
changes
toconditions
the information
information
system
terms and
of the system,
contracts
or service-level
security
breaches/compromises.
Such
incident
response
component,
or
information
service
requires
agreements
and
can range system
from extensive
control
(e.g.,
activities
may
be
adversely
affected
by
the
governing
lawslife
or
configuration
control throughout
the system
development
negotiating contracts
or agreements
that specify
security
protocols
in
the
locations
where
processing
and
storage
occur
cycle
to track for
authorized
changes
requirements
the providers)
to and
veryprevent
limited unauthorized
control (e.g.,
and/or
theConfiguration
locations
from
which
information
services
changes.
items
that
are placedsystem
using contracts
or service-level
agreements
tounder
obtain
emanate.
This
control services
enhancement
allows
organizations
to detectby
configuration
management
(if
existence/use
is required
commodity
such as
commercial
telecommunications
unauthorized
changes
toinclude:
software
and
firmware
components
other
security
controls)
the
formal
thefactors
services).
In other
cases,
levels of
trust
are model;
based
on
through
the
use
of
tools,
techniques,
and/or
mechanisms
functional,
high-level,
and
low-level
design
specifications;
that
convince
organizations
that
required
security
controls
have
Alternate configuration management processes may be other
provided
by
developers.
Integrity
checking
mechanisms
can
design
data;
implementation
documentation;
source
code and
been
employed
and that
determinations
ofuse
control
required,
for example,
when
organizations
commercial
offalso
address
counterfeiting
of
software
and
firmware
hardware
schematics;
the
running
version
of
the
object
code;
effectiveness
exist.
For
example,
separately
authorized
the-shelf
(COTS)
information
technology
products.
Alternate
This
control
enhancement
allows
organizations
to organizations
detect
components.
Organizations
verify
the
integrity
of
software
and
tools
for comparing
new
versions
of
security-relevant
hardware
external
information
system
services
provided
to
configuration
management
processes
include organizational
unauthorized
changes
to
hardware
components
through
the
firmware
components,
for
example,
through
secure
one-way
descriptions
and
software/firmware
source
code
with
previous
through
well-established
business
relationships
may
provide
personnel
that:
(i) are responsible
for reviewing/approving
use
of
tools,
techniques,
and/or
mechanisms
provided
by range
This
control
enhancement
addresses
changes
toDepending
hardware,
hashes
provided
by
developers.
Delivered
and
versions;
test
fixtures
and
documentation.
on
degrees
ofand
trust
in
such
services
within
thesoftware
tolerable
risk
proposed
changes
to
information
systems,
system
components,
developers.
Organizations
verify
the
integrity
of
hardware
software,
and
firmware
components
between
versions
during
firmware
components
also
include
any
updates
to
such
the
mission/business
needs
of
organizations
and
the
nature
of
of
the
organizations
using
the
services.
External
service
and
information
system
services;
and (ii) conduct
security
components,
for
example,
with
hard-to-copy
labels
andprovide
development.
In
contrast,
SA-10
(1)
and
SA-10
(3)
allow
components.
the
contractual
relationships
in
place,
developers
may
providers
may
also
outsource
selected
services
to
other
This
control
enhancement
addresses
changes
hardware,
impact
analyses
prior to the
implementation
oftoany
changes
to
verifiable
serial
numbers
provided
by
developers,
and
by and
organizations
to
detect
unauthorized
changes
to
hardware,
configuration
management
support
during
the
operations
external
entities,
making
the
trust (e.g.,
relationship
more
difficult
software,
and
firmware
components
during
initial
development
systems,
components,
or
services
a
configuration
control
requiring
the implementation
ofcycle.
anti-tamper
technologies.
software,
firmware
components
through
thenature
use
tools,
maintenance
phases
ofcycle
the life
and during
complicated
to life
manage.
Depending
the
of
the
and
system
updates.
Maintaining
theofintegrity
board
thatand
considers
security
impacts
of on
changes
during
The
trusted
distribution
of
security-relevant
hardware,
Delivered
hardware
components
also
include
updates
to
such
techniques,
and/or
mechanisms
provided
by
developers.
services,
organizations
may
find
it
very
difficult
to
place
between
the
master
copies
of
security-relevant
hardware,
development
includes
representatives
of both
the
software,
and and
firmware
updates
helps to ensure
that
such
components.
significant
trust
inthe
external
providers.
This
is not
due to
any
software,
and
firmware
(including
designs
and
source
code)
organization
and
developer,
when
applicable).
updates
are
faithful
representations
of
the
master
copies
Developmental
security
testing/evaluation
occurs
at
all
postinherent
untrustworthiness
on
the
part
of
providers,
but
to the
and
the equivalent
data in master
copies
in operational
maintained
by of
thethe
developer
and have
noton-site
been
tampered
with
design
phases
system
development
life
cycle.
Such
intrinsic
level
of
risk
in
the
services.
environments
is essential to ensure the availability of
during
distribution.
testing/evaluation
confirmssystems
that thesupporting
required security
organizational information
critical controls
missions
are
implemented
correctly,
operating
as
intended,
enforcing
and/or business functions.
the desired security policy, and meeting established security
requirements. Security properties of information systems may
be affected by the interconnection of system components or
changes to those components. These interconnections or
changes (e.g., upgrading or replacing applications and
operating systems) may adversely affect previously
implemented security controls. This control provides additional
types of security testing/evaluation that developers can
conduct to reduce or eliminate potential flaws. Testing custom
software applications may require approaches such as static
analysis, dynamic analysis, binary analysis, or a hybrid of the
three approaches. Developers can employ these analysis
approaches in a variety of tools (e.g., web-based application
scanners, static analysis tools, binary analyzers) and in source
code reviews. Security assessment plans provide the specific
activities that developers plan to carry out including the types

Static code analysis provides a technology and methodology


for security reviews. Such analysis can be used to identify
security
vulnerabilities
and
enforce security
coding
practices.
Applications
may deviate
significantly
from the
functional
and
Static
code
analysis
is
most
effective
when
used
early
in
the
design specifications created during the requirements and
development
process,
when each
code change
can be
design
phases
of thehave
system
development
life cycle.
Therefore,
Independent
agents
the
necessary
qualifications
automatically
scanned
for
potential
weaknesses.
Static(i.e.,
analysis
threat
and
vulnerability
analyses
of
information
systems,
expertise,
skills,
training,
and experience)
to verify
the correct
can
provide
clear
remediation
guidance
along
with
defects
system
components,
and information
system
services
prior to
to
implementation
of developer
security
assessment
plans.
enable
developers
to
fix
such
defects.
Evidence
of
correct
delivery are critical to the effective operation of those systems,
implementation
static analysis
for example,
components, andofservices.
Threatcan
andinclude,
vulnerability
analyses at
aggregate
defect
density
for
critical
defect
types,
evidence
that
this phase of the life cycle help to ensure that design
or
defects
were
inspected
by
developers
or
security
professionals,
implementation changes have been accounted for, and that
and
evidence
that defects
were as
fixed.
An excessively
high
any
new
vulnerabilities
created
a result
of those
changes
Manual
code
reviews
are
usually
reserved
for
the
critical
density
of ignored
findings
(commonly referred to as ignored or
have
been
reviewed
and
mitigated.
software
and
firmware
components
information
systems.
false positives)
indicates
a potentialof
problem
with the
analysis
Such
code
reviews
are
uniquely
effective
at
identifying
Penetration
testing
is ancases,
assessment
methodology
process or tool.
In such
organizations
weigh in
thewhich
validity
weaknesses
thatagainst
require
knowledge
of other
thetechnology
applications
assessors,
using
all
available
information
of the evidence
evidence
from
sources. product
requirements
or context
which
are generally
unavailable to
and/or
information
system
documentation
Attack
surfaces
ofanalytic
information
systems
are(e.g.,
exposed
areas
that
more
automated
tools
and
techniques
suchand
as static
or
product/system
design
specifications,
source
code,
make
those
systems
more
vulnerable
to
cyber
attacks.
This
dynamic
analysis. Components
benefiting
fromunder
manual
review
administrator/operator
manuals)
andweaknesses
working
specific
includes
any
accessible
areas where
or
Verifying
that
security
testing/evaluation
provides
complete
include
for
example,
verifying
access
control
matrices
against
constraints,
attempt
to circumvent
implemented
deficiencies
in information
systems
(including
thesecurity
hardware,
coverage
ofinformation
required
security
controls
can
beand
accomplished
application
controls
and
reviewing
more
detailed
aspects
of by
features
of
technology
products
information
software,
and
firmware
components)
provide
opportunities
for
a
variety
of
analytic
techniques
ranging
from
informal
to
cryptographic
implementations
and
controls.
Dynamic
code
analysis
provides
verification
ofwhite,
systems.
Penetration
testing
canrun-time
include,
for
example,
adversaries
to
exploit
vulnerabilities.
Attack
surface
reviews
formal.
Each
ofbox
these
techniques
provides
an increasing
level
software
programs,
using
tools
capable
of
monitoring
gray,
orthat
black
testing
with
analyses
performed
by programs
skilled
ensure
developers:
(i)
analyze
both
design
and
of
assurance
corresponding
to
theadversary
degree
ofactions.
formality
of the
for
memory
corruption,
user
privilege
issues,
and and
other
security
professionals
simulating
The
Information
systems
(including
system
components
that
implementation
changes
to information
systems;
(ii)
analysis.
Rigorously
demonstrating
security
control
coverage
at
potential
security
problems.
Dynamic
analysis
employs
objective
of penetration
testing
isbe
to
uncover
potential
compose
those
systems)
need
to
protected
the
mitigate
attack
vectors
generated
as
acode
result
ofthroughout
the
changes.
the
highest
levels
of
assurance
can
be
provided
by
the
use
of
run-time
tools
to
helplife
toflaws
ensure
thatduring
security
functionality
vulnerabilities
in information
technology
products
and
system
development
cycle
(i.e.,
design,
Correction
of
identified
includes,
for
example,
deprecation
The
use
of
acquisition
and
procurement
processes
by
formal
modeling
and
analysis
techniques
including
correlation
performs
in
the
manner
in
which
it
was
designed.
A
specialized
information
systems
resulting
from
implementation
errors,
development,
manufacturing,
packaging,
assembly,
of
unsafecontrol
functions.
organizations
early
in
the
system
development
life
cycle
between
implementation
and
corresponding
test cases.
type
of dynamic
analysis,
known
as fuzz testing,
induces
configuration
faults,
or other
operational
deployment
distribution,
system
integration,
operations,
maintenance,
and
provides
an
important
vehicle
to
protect
the
supply
chain.
Supplier
reviews
include,
for
example:
(i)tests
analysis
of systems
supplier
program
failures
by
deliberately
introducing
malformed
or
weaknesses
or deficiencies.
Penetration
can be
performed
retirement).
Protection
of
organizational
information
is
Organizations
use
available
all-source
intelligence
analysis
processes
used
tosoftware
design,
develop,
test,
implement,
verify,
random
data
into
programs.
Fuzz
testing
strategies
in
conjunction
with
automated
and manual
code
reviews
to to
accomplished
through
threat
awareness,
by
the
identification,
inform
the
tailoring
of
acquisition
strategies,
tools,
and
deliver,
and
support
information
systems,
system
components,
derive
from
the
intended
useof
ofvulnerabilities
applications
and
the
functional
provide
greater
levels
of analysis
than
would
ordinarily
be
management,
and
reduction
atand
each
phase
of
methods.
There
are
a
number
of
different
tools
techniques
and
information
system
services;
and
(ii)
assessment
of
design
specifications
for
the
applications.
To
understand
possible.
the
life cycle
and
the use of
complementary,
mutually system
available
(e.g.,
obscuring
the
endinuse
of hence
an information
supplier
training
and experience
developing
systems,
the
scope
ofstrategies
dynamic
code
analysis
and
the assurance
reinforcing
to
respond
to
risk.
Organizations
consider
or
system organizations
component,
using
blind
or filtered
buys). capability.
components,
or
services
with
the
required
security
provided,
may
also
consider
conducting
code
implementing
a
standardized
process
to
address
supply
chain
Organizations
also
consider
creating
incentives
for
suppliers
These
reviews
provide
organizations
withto
increased
levels
coverage
analysis
(checking
thesystems
degree
which
the
code of
has
risk
with
respect
to
information
and
system
who:
(i)
implement
required
security
safeguards;
(ii)
promote
Supply
chain
risk
is
part
of
the
advanced
persistent
threat
visibility
into
supplier
activities
during
the
system
development
been
tested
using
metrics
such
as
percent
of
subroutines
components,
and
to
educate
the acquisition
workforce
on
transparency
into
their
organizational
processes
and
security
(APT).
Security
safeguards
and
countermeasures
to
the
life
cycle
to
promote
more
effective
supply
chain
riskreduce
tested
orrisk,
percent
of
program
statements
called
during
threats,
and
required
security
controls.
Organizations
use
practices;
(iii)
provide
additional
vetting
of
thetoprocesses
and
probability
of
adversaries
successfully
identifying
and
targeting
management.
Supplier
reviews
can
also
help
determine
execution
of
the
test
suite)
and/or
concordance
analysis
the
acquisition/procurement
processes
to require
supply
chain
security
practices
ofthat
subordinate
suppliers,
critical
information
the
supply
chain
include,
for
example:
(i)safeguards
avoiding
the
purchase
whether
primary
suppliers
have
security
in
place
(checking
for
words
are
out
of
place
in
software
code
such
entities
to
implement
necessary
security
safeguards
to:
(i)
system
components,
andwords
services;
(iv)
restrict
purchases
from
of
custom
configurations
to
reduce
the
risk
of
acquiring
and
a
practice
for
vetting
subordinate
suppliers,
for
example,
as
non-English
language
or
derogatory
terms).
reduce
the
likelihood
of
unauthorized
modifications
at each
Assessments
include,
for
example,
testing,
evaluations,
specific
suppliers
or countries;
and
(v)
provide
contract
information
systems,
components,
or
products
that
have
been
secondand
third-tier
suppliers,
and
any
subcontractors.
stage
in the
supply
chain;
and (ii) protect
information
systems
reviews,
and
analyses.
Independent,
third-party
entities
or
language
regarding
the
prohibition
of
tainted
or
counterfeit
corrupted
via supply
chain
actions targeted
attaking
specific
and
information
system
components,
prior
to
deliverythe
of
organizational
personnel
conduct
assessments
ofminimizing
systems,
components.
In(ii)
addition,
organizations
consider
All-source
intelligence
analysis
is
employed
by
organizations
organizations;
employing
a
diverse
set
of
suppliers
to limitto
such
systems/components.
This
control
also
applies
to
components,
products,
tools,
andand
services.
Organizations
time
between
purchase
decisions
and
required
delivery
limit
inform
engineering,
acquisition,
risk
management
the
potential
harm
from
any given
supplier
in the
supplytochain;
information
system
services.
Security
safeguards
include,
for
conduct
assessments
to
uncover
unintentional
vulnerabilities
opportunities
for
adversaries
to
corrupt
information
system
decisions.
All-source
intelligence
consists
of
intelligence
(iii)
employing
approved
vendor
lists
standing
reputations
Supply
chain
information
includes,
forwith
example:
user
identities;
example:
(i)
security
controls
for
development
systems,
and
intentional
vulnerabilities
including,
for
example,
malicious
components
or
products.
Finally,
organizations
can
use
products
and/or
organizations
and
activities
that
incorporate
all
in
industry,
and
(iv)
using
procurement
carve
outs
(i.e.,
uses
for
information
systems,
information
system
components,
development
facilities,
and
external
connections
to
code,
malicious
processes,
defective
software,
and
trusted/controlled
distribution,
delivery,
and
warehousing
sources
of information,
most
including
human
exclusions
to commitments
orfrequently
obligations).
and
information
system
services;
supplier
identities;
supplier
development
systems;
(ii)
vetting
development
personnel;
and
For
some
system
especially
hardware,
counterfeits.
Assessments
cancomponents,
include,
forrequiring
example,
static
options
toinformation
reduce
supply
chain
risk
(e.g.,
tamperintelligence,
imagery
intelligence,
measurement
and
signature
processes;
security
requirements;
design
specifications;
testing
(iii)
use
of
tamper-evident
packaging
during
there
arepackaging
technical
means
to simulations,
helpand
determine
if the
components
analyses,
dynamic
analyses,
white,
gray,
and
evident
of
information
system
components
during
intelligence,
signals
intelligence,
open
source
data
in the
and
evaluation
results;
andaltered.
system/component
configurations.
shipping/warehousing.
Methods
forSecurity
reviewing
and
protecting
are
genuine
or
have
been
safeguards
used to
black
box
testing,
fuzz
testing,
penetration
testing,
and
shipping
and
warehousing).
This
control
enhancement
addresses
analysis
and/or
testing
of
production
of
finished
intelligence.
Where
available,
such
This
control
enhancement
expands
theare
scope
of OPSEC
to
development
plans,
evidence,
and documentation
are
validate
the
authenticity
of
information
systems
and
ensuring
that
components
or
services
genuine
(e.g.,
using
the
supply
chain,
not
just
delivered
items.
Supply
information
is used
to
analyze
the
risk
of both
intentional
and
include
suppliers
and
potential
suppliers.
OPSEC
ischain
a process
of
commensurate
with
the
security
category
or
classification
level
information
system
components
include,
example,
tags,
cryptographic
hash
verifications,
or for
digital
signatures).
elements
are
information
technology
products
or
product
unintentional
vulnerabilities
from
development,
manufacturing,
identifying
critical
information
and
subsequently
analyzing
of
the
information
system.
Contracts
may
specify
optical/nanotechnology
tagging
and assessments
side-channel
analysis.
Evidence
generated
during
security
components
that
contain
programmable
logicother
andis
thatThis
are For
and
delivery
processes,
people,
and
the
environment.
friendly
actions
attendant
to
operations
and
activities
to:
documentation
protection
requirements.
hardware,
detailed
bill
of
material
information
can
highlight
the
documented
for
follow-on
actions
carried
out
by
organizations.
critically
tooninformation
system
functions.
Supply
review
is important
performed
suppliers
at
multiple
tiers
in
the
supply
(i)
identify
those
actions
that
can
be
observed
by
potential
elements
with embedded
logic
complete
with component
and
chain
processes
include,
for
example:
(i) hardware,
software,
sufficient
to
manage
risks.
adversaries;
(ii)
determine
indicators
that
adversaries
might
production
location.
and
firmware
development
processes;
(ii) shipping/handling
obtain
that could
be interpreted
or pieced
together to derive
procedures;
(iii)
personnel
and
physical
security
programs;
(iv)
critical information in sufficient time to cause
harm
to

The establishment of inter-organizational agreements and


procedures provides for notification of supply chain
compromises.
Early
notification
of supply
chain compromises
Adversaries can
attempt
to impede
organizational
operations
that
can
potentially
adversely
affect
or
have
adversely
by disrupting the supply of critical information system affected
organizational
information
systems,operations.
including critical
system
components
corrupting
supplier
Safeguards
to
Knowing
whoor
and
what isfor
in
the
supply chains
of
organizations
components,
is
essential
organizations
to
provide
ensure
adequate
supplies
of
critical
information
system
is
critical to gaining
visibility
into
what is happening within such
appropriate
responses
toexample:
such
incidents.
components
include,
for
(i)and
the identifying
use of multiple
supply
chains,
as
well
as
monitoring
high-risk
Evidence
generated during
independent
or
organizational
suppliers
throughout
the
supply
chain
for
the
identified
events
and activities.
Without
reasonable
visibility
and critical
assessments
of
supply
chain
elements
(e.g.,
penetration
components;
and
(ii) stockpiling
of spare
components
to ensure
traceability
into
supply
chains (i.e.,
elements,
processes,
and
testing,
audits,
verification/validation
activities)
is documented
This
control
helps
organizations
to
make
explicit
operation
during
mission-critical
times.
actors),
it
is
very
difficult
for
organizations
to
understand
and
and
used in follow-on
processes
implemented
by organizations
trustworthiness
decisions
when
designing,
developing,
and
therefore
manage
risk,
and
to
reduce
the
likelihood
of
adverse
to
respond to the
risks related
to the
identified
weaknesses
and
implementing
information
systems
that
are
needed
to
conduct
events.
Uniquely
identifying
acquirer
and
integrator
roles,
deficiencies.
Supply
chain
elements
include,
for
example,
critical
organizational
missions/business
functions.
organizations,
personnel,
missionand
andsupplier
element
processes,
supplier
development
processes
distribution
Trustworthiness
is a characteristic/property
of
an information
testing
and
evaluation
procedures,
delivery
mechanisms,
systems.
system
expressescommunications/delivery
the degree to which the system
can be
support that
mechanisms,
paths, and
expected
to
preserve
the
confidentiality,
integrity,
and
disposal/final disposition activities as well as the components
Criticality
analysis
is a key tenet
of supply chain
risk
availability
of the
information
it processes,
stores,
or
transmits.
and tools used,
establishes
a foundational
identity
structure
for
management
informs
the
prioritization
of that
supply
chain
Trustworthy
systems
are systems
are
capable
assessment information
ofand
supply
chain
activities.
For example,
labeling
protection
activities
such
astagging
attackdefined
surface
reduction,
of allof
being
trusted
to operate
within
of riskuse
despite
(using
serial
numbers)
and
(using levels
radio-frequency
source
intelligence,
and
tailored
acquisition
strategies.
the
environmental
disruptions,
human
errors,
and
purposeful
identification [RFID] tags) individual supply chain elements
Information
system
engineers
can conduct
an
end-to-end
attacks
that
are expected
to occur
in the
specified
including
software
packages,
modules,
and
hardware
devices,
Development
tools
include,
for
example,
programming
functional
decomposition
of
an
information
system
to
environments
of
operation.
Trustworthy
systems
are
important
and
processes
associated
with those
elements
can be identify
used
for
languages
and
computer-aided
design
(CAD)
systems.
Reviews
mission-critical
functions
and
components.
The functional
to
mission/business
success.
Two
factors
affecting
thesupport
this
purpose.
Identification
methods
are
sufficient
to
of
developmentincludes
processes
include, for
the use of
decomposition
thecan
identification
ofexample,
core
organizational
trustworthiness
of
information
systems
include:
(i)
security
the
provenance
in
the
event
ofthe
a supply
chain
issue
or adverse
maturity
models
to
determine
potential
effectiveness
missions
supported
bysecurity
the system,
decomposition
into theof
functionality
(i.e.,
the
features,
functions, and/or
supply
chain
event.
such
processes.
Maintaining
the
integrity
of
changes
to tools to
specific
functions
to perform
missions,
traceability
mechanisms
employed
withinthose
the system
andand
its environment
and
processes
enables
accurate
supply
chain
risk
assessment
the
hardware, and
software,
and firmware
components
that
of operation);
(ii) security
assurance
(i.e., the grounds
for
and
mitigation,
requiresincluding
robust configuration
control
implement
those
functions,
when
functions
confidence
that and
the
security
functionality
is the
effective
in itsare
throughout
the
life
cycle (including
development,
shared
by many
components
withindesign,
and operators,
beyond
theand
application).
Developers,
implementers,
transport,
delivery,
integration,
and
maintenance)
to
information
boundary. information
Informationsystems
system components
maintainers system
of organizational
cantrack
increase
authorized
changes
and
prevent
unauthorized
changes.
that
allow
for
unmediated
access
to
critical
components
orby
the level of assurance (and trustworthiness), for example,
functions
consideredsecurity
critical due
to models,
the inherent
employingare
well-defined
policy
structured and
vulnerabilities
suchsoftware,
components
Criticality
is assessed
rigorous hardware,
andcreate.
firmware
development
in
terms of the
impact
of the function
or component
failureand
on
techniques,
sound
system/security
engineering
principles,
the
ability
of the component
complete
organizational
secure
configuration
settingsto
(defined
by the
a set
of assurancemissions
supported
by the
A criticality
related security
controls
in information
Appendix E).system.
Assurance
is also
analysis
performed
whenever
an architecture
design
based onisthe
assessment
of evidence
produced or
during
theis
Organizations
useorquality
metrics
to establish
minimum
being
modified,
including
upgrades.
systemdeveloped
development
life cycle.
Critical
missions/business
acceptable
levels
of information
system systems
quality. Metrics
functions are
supported
by high-impact
and themay
include
quality
gates
which
are
collections
of
completion
associated assurance requirements for such systems. The
criteria
or sufficiency
standards
the satisfactory
additional
assurance controls
in representing
Table E-4 in Appendix
E
execution
of as
particular
phases
the system
development
(designated
optional)
can beofused
to develop
and
project.
A quality
gate, for example,
requireinformation
the
implement
high-assurance
solutions may
for specific
elimination
all compiler
warnings
or an
explicit
systems andofsystem
components
using
the
concept of overlays
Information
development
teams
select
and
determination
that the
have
no
impact
ondeploy
the
described insystem
Appendix
I.warnings
Organizations
select
assurance
security
tools,
example, During
effectiveness
of required
security for
capabilities.
the
overlays tracking
that have
beenincluding,
developed,
validated,
and approved
vulnerability/work
item
tracking
systems
that
facilitate
execution
phases
of
development
projects,
quality
gates
for
community
adoption
(e.g.,
cross-organization,
This control enhancement provides developer input to the
assignment,
sorting,
filtering,
and
tracking
ofofcompleted
work
provide
clear,
unambiguous
indications
of progress.
Other
governmentwide),
limiting
the
development
such
overlays
criticality
analysis
performed
by
organizations
in
SA-14.
items
or
tasks
associated
with
system
development
processes.
metrics
apply
to
the
entire
development
project.
These
metrics
on an organization-by-organization
Organizations
Developer
input is essential to suchbasis.
analysis
because can
can
include
defining
the
severity
thresholds
of vulnerabilities,
conduct
criticality
as
described
in SA-14,
to determine
organizations
mayanalyses
not
have
access
to detailed
design
for
example,
requiring
no
known
vulnerabilities
in
the
delivered
the
information
systems,
system
components,
or
information
documentation for information system components that
are
information
system
with
a
Common
Vulnerability
Scoring
system
services
that
require
high-assurance
solutions.
developed as commercial off-the-shelf (COTS) information
System
(CVSS)
severity
of Medium
orspecifications,
High. overlays
Trustworthiness
requirements
and assurance
can be
technology
products
(e.g.,
functional
high-level
describedlow-level
in the security
plans
organizational
information
designs,
designs,
and for
source
code/hardware
systems.
schematics).

Attack surface reduction is closely aligned with developer


threat and vulnerability analyses and information system
architecture
and
design. Attack
surface
reduction
is a means of
Developers of
information
systems,
information
system
reducing
risk
to
organizations
by
giving
attackers
less
components, and information system services consider the
opportunity
to exploit weaknesses
or deficiencies
(i.e.,
effectiveness/efficiency
of current development
processes
for
potential
vulnerabilities)
within
information
systems,
meeting quality objectives and addressing security capabilities
information
system
components, and information system
in current threat
environments.
services. Attack surface reduction includes, for example,
applying the principle of least privilege, employing layered
defenses, applying the principle of least functionality (i.e.,
restricting ports, protocols, functions, and services),
deprecating unsafe functions, and eliminating application
programming interfaces (APIs) that are vulnerable to cyber
attacks.

Analysis of vulnerabilities found in similar software applications


can inform potential design or implementation issues for
information
systems
under
development.
Similar information
The use of live
data in
preproduction
environments
can result
systems
or
system
components
may
exist
within
developer
in significant risk to organizations. Organizations can minimize
organizations.
Authoritative
vulnerability
information
is
such
risk by using
test plan
or dummy
data during
the development
The
incident
response
for developers
of information
available
from
a
variety
of
public
and
private
sector
sources
and
testing
of information
systems,
informationsystem
systemservices
systems,
system
components,
and information
including,
for and
example,
the National
Vulnerability
Database.
components,
information
system
services.
is
incorporated
intodocumentation
organizational from
incident
plans to
Archiving
relevant
the response
development
provide
the
type
of
incident
response
information
not
readily
process can provide a readily available baseline of information
available
to helpful
organizations. information
Such information
may be extremely
that
can
be
system/component
This
control
applies during
towhen
external
and internal
(in-house)
helpful,
for
example,
organizations
respond
to
upgrades
or Training
modifications.
developers.
of personnel
is an essential
to
vulnerabilities
in commercial
off-the-shelf
(COTS)element
information
ensure
the
effectiveness
of
security
controls
implemented
This
control products.
is primarily directed at external developers,
technology
within
organizational
Training options
although it could alsoinformation
be used for systems.
internal (in-house)
include,
for example,
classroom-style
training,
web- at internal
development.
In contrast,
PL-8 is primarily
directed
based/computer-based
training,
and
hands-on
training.
developers to help ensure that organizations develop an
Organizations
can also
request sufficient
training
materials
information security
architecture
and such
security
architecture
from
developers
to
conduct
in-house
training
or
offer
selfis integrated or tightly coupled to the enterprise architecture.
training
to organizational
personnel.
Organizationsoutsource
determine
This distinction
is important
if/when organizations
the
type
of
training
necessary
and
may
require
different
types
the development of information systems, information system
of
training
for
different
security
functions,
controls,
or
components, or information system services to external
mechanisms.
entities,
and there
is a requirement
to demonstrate
consistency
Formal models
describe
specific behaviors
or security
policies
with
the
organizations
enterprise
architecture
and
using formal languages, thus enabling the correctness of those
information
security
behaviors/policies
to architecture.
be formally proven. Not all components of
information systems can be modeled, and generally, formal
specifications are scoped to specific behaviors or policies of
interest (e.g., nondiscretionary access control policies).
Organizations choose the particular formal modeling language
and approach based on the nature of the behaviors/policies to
be described and the available tools. Formal modeling tools
include, for example, Gypsy and Zed.

Security-relevant hardware, software, and firmware represent


the portion of the information system, component, or service
that must be trusted to perform correctly in order to maintain
required security properties.

Correspondence is an important part of the assurance gained


through modeling. It demonstrates that the implementation is
an accurate transformation of the model, and that any
additional code or implementation details present have no
impact on the behaviors or policies being modeled. Formal
methods can be used to show that the high-level security
properties are satisfied by the formal information system
description, and that the formal system description is correctly
implemented by a description of some lower level, for example
a hardware description. Consistency between the formal toplevel specification and the formal policy models is generally not
amenable to being fully proven. Therefore, a combination of
formal/informal methods may be needed to show such
consistency. Consistency between the formal top-level
Correspondence
animplementation
important part of
therequire
assurance
gained
specification andisthe
may
the use
of an
through
It demonstrates
that the
informal modeling.
demonstration
due to limitations
inimplementation
the applicabilityisof
an
accurate
transformation
of the
the specification
model, and that
any
formal
methods
to prove that
accurately
additional
or implementation
details
presentand
hasfirmware
no
reflects thecode
implementation.
Hardware,
software,
impact
on thestrictly
behaviors
or policies
being modeled.
mechanisms
internal
to security-relevant
hardware,
Consistency
the
descriptive
top-levelmapping
specification
software, andbetween
firmware
include,
for example,
registers
(i.e.,
high-level/low-level
design) and the formal policy model is
and direct
memory input/output.
generally not amenable to being fully proven. Therefore, a
combination of formal/informal methods may be needed to
show such consistency. Hardware, software, and firmware
mechanisms strictly internal to security-relevant hardware,
software, and firmware include, for example, mapping registers
and direct memory input/output.

Anti-tamper technologies and techniques provide a level of


protection for critical information systems, system components,
and
information
technology
products
against aand
number
of
Organizations
use
a combination
of hardware
software
related
threats
including
modification,
reverse
engineering,
and
techniques for tamper resistance and detection. Organizations
substitution.
Strong identification
combined
with tamper
employ obfuscation
and self-checking,
for example,
to make
resistance
and/or
tamper
detection
is
essential
to protecting
reverse engineering and modifications more difficult,
timeinformation
components,
and products
during
consuming, systems,
and expensive
for adversaries.
Customization
of
distribution
whenand
in use.
information and
systems
system components can make
substitutions easier to detect and therefore limit damage.

This control enhancement addresses both physical and logical


tampering and is typically applied to mobile devices, notebook
computers,
or other system
components
taken
out of
Sources of counterfeit
components
include,
for example,
organization-controlled
areas.
Indications
of need for inspection
manufacturers, developers,
vendors,
and contractors.
Antiinclude,
for
example,
when
individuals
return
from travel
to
counterfeiting policy and procedures support tamper
resistance
high-risk
locations.
and provide a level of protection against the introduction of
malicious code. External reporting organizations include, for
example, US-CERT.

Proper disposal of information system components helps to


prevent such components from entering the gray market.

Organizations determine that certain information system


components likely cannot be trusted due to specific threats to
and
vulnerabilities
in those
components,
for whichorthere
Because
the information
system,
system and
component,
are
no
viable
security
controls
to
adequately
mitigate
the
information system service may be employed in critical
resulting
Re-implementation
custom
development
of
activities risk.
essential
to the national or
and/or
economic
security
such
components
helps
to
satisfy
requirements
for
higher
interests of the United States, organizations have a strong
assurance.
This is accomplished
by initiating
changes The
to
interest in ensuring
that the developer
is trustworthy.
system
components
(including
hardware,
software,
and
degree of trust required of the developer may need to be
firmware)
standard
attacks
by adversaries
are
consistentsuch
with that
that the
of the
individuals
accessing
the
less
likely
to
succeed.
In
situations
where
no
alternative
Satisfying
required
access authorizations
anddeployed.
personnel
information
system/component/service
once
sourcing
available
and organizations
choose
not a
to
re- of
screening
criteria
includes,
for example,
providing
listing
Examplesisof
authorization
and
personnel
screening
criteria
implement
or
custom
develop
critical
information
system
all
the individuals
authorized
tobackground
perform development
activities
include
clearance,
satisfactory
checks,
citizenship,
Support
for information
system
components
includes,
for
components,
additional
safeguards
can
be
employed
(e.g.,
on
the
selected
information
system,
system
component,
or
and
nationality.
Trustworthiness
of developers
may
also include
example,
software
patches,
firmware
updates,
replacement
enhanced
auditing,
restrictions
on
source
code
and
system
information
system
service
so thatownership
organizations
can
a
review
and
analysis
of contracts.
company
andcomponents
any validate
parts,
and
maintenance
Unsupported
utility
access,
andcompany
protection
from
deletion
of
system
and
that
the
developer
has
satisfied
the
necessary
authorization
relationships
the
has
with
entities
potentially
(e.g.,
when files.
vendors are no longer providing critical software
application
and
screening
requirements.
affecting
the
quality/reliability
the systems,
or
patches),
provide
a substantialof
opportunity
for components,
adversaries to
services
being
developed.
exploit new weaknesses discovered in the currently installed
components. Exceptions to replacing unsupported system
This
control enhancement
addresses
thesystems
need tothat
provide
components
may include, for
example,
provide
continued
support for selected
information
system
components
critical mission/business
capability
where newer
technologies
that
are
no longer
by
the original
developers,
are
available
orsupported
where
systems
are
isolated
Thisnot
control
addresses
the the
establishment
ofso
policy
and that
vendors,
or
manufacturers
when
such
components
remain
installing
replacement
components
is not an of
option.
procedures
for the effective
implementation
selected
essential
to mission/business
operations. Organizations
can
security controls
and control enhancements
in the SC family.
establish
in-house
support,
for
example,
by
developing
Policy and procedures reflect applicable federal laws, Executive
customized
patches
for critical software
components
or secure
Orders, directives,
regulations,
policies, standards,
and
the
services
of
external
providers
who
through
contractual
guidance. Security program policies and procedures at the
relationships,
provide
support
for system-specific
the designated
organization level
mayongoing
make the
need for
unsupported
components.
Such
contractual
relationships
policies and procedures unnecessary. The policy
can be can
include,
for
example,
Open
Source
Software
value-added
included as part of the general information security policy for
vendors.
organizations or conversely, can be represented by multiple
policies reflecting the complex nature of certain organizations.
The procedures can be established for the security program in
general and for particular information systems, if needed. The
organizational risk management strategy is a key factor in
establishing policy and procedures.

Information system management functionality includes, for


example, functions necessary to administer databases, network
components,
workstations,ensures
or servers,
typically requires
This control enhancement
thatand
administration
options
privileged
user
access.
The
separation
of
user
functionality
(e.g., administrator privileges) are not available to general
from
information
system management
functionality
is either
users
(including system
prohibiting
the use
of the
grey-out from
option
The
information
isolates
security
functions
physical
or
logical.
Organizations
implement
separation
of
commonly
used
to eliminate
accessibility
to such
information).
nonsecurity
functions
by means
of an isolation
boundary
system
management-related
functionality
from
user
Such
restrictions
include,
forand
example,
not presenting
(implemented
partitions
domains).
Such
isolation
Underlying
hardware
separation
mechanisms
include,
for
functionality
byvia
using
different
computers,
different
central
administration
options
until
users
establish
sessions
with
controls
access
to
and
protects
the
integrity
of
the
hardware,
example,
hardware
ring architectures,
implemented
processing
units, different
instances of commonly
operating systems,
administrator
software,
and privileges.
firmware
that
perform
those techniques,
security
functions.
within
microprocessors,
and
hardware-enforced
address
different
network
addresses,
virtualization
or
Security
function
isolation
occurscode
as aseparation
result of implementation;
Information
systems
implement
(i.e.,
segmentation
used
to
support
logically
distinct
storage
objects
combinations
of
these
or
other
methods,
as
appropriate.
This
the
functions
still be
scanned
andnonsecurity
monitored. functions)
Security
separation
of can
security
functions
from
in
with
separate
attributes
(i.e.,
readable,
writeable).
type
of
separation
includes,
for
example,
web
administrative
functions
that
are potentially
isolated
fromto
access
and
flow
In
those
instances
where
it
is
not
feasible
achieve
strict
a
number
of
ways,
including,
for
example,
through
the
interfaces
that use separate
authentication
methodsauditing,
for users
control
enforcement
functions
for rings
example,
isolation
of
functions
from security
functions,
provision
ofnonsecurity
security
kernels
viainclude,
processor
or processor
of
any
other
information
system
resources.
Separation
of it is
intrusion
detection,
andcode,
anti-virus
functions.
necessary
to
take
actions
to
minimize
the
nonsecurity-relevant
modes.
For
non-kernel
security
function
isolation
is often
The
reduction
in inter-module
to constrain
system
and user
functionality interactions
may include helps
isolating
functions
within
the
security
function
boundary.
Nonsecurity
achieved
through
file
system
protections
that
serve
to
protect
security
functions
and to manage
complexity.
of
administrative
interfaces
on different
domainsThe
andconcepts
with
functions
contained
within
the space
isolation
boundary
are
the
code and
on
disk,
and
address
protections
that
protect
coupling
cohesion
are
important
with
respect
to
modularity
additional
access
controls.
The
implementation
of layered
structures
with
minimized
considered
security-relevant
because
errors
or
maliciousness
executing
code.
Information
systems
restrict
access
to security
in
software
design.
Coupling
refers
to
the
dependencies
that in
interactions
among
security
functions
and
non-looping
layers
such
software,
virtue
ofmodules.
being
within
the mechanisms
boundary,
can
functions
through
the
use
of
access
control
and by
one
module
hasbyon
other
Cohesion
refers to the
(i.e.,
lower-layer
functions
do capabilities.
not
depend
on
higher-layer
This
control
prevents
information,
including
encrypted
impact
the
security
functions
of
organizational
information
implementing
least
privilege
While
the
ideal
is for
relationship
between
the different
functions
within functions
a particular
functions)
further
enables
the isolation
of by
security
representations
of
information,
produced
the
actions
of
prior
systems.
The
design
objective
is
that
the
specific
portions
of
all
of
the
code
within
the
security
function
isolation
boundary
module.
Good software
engineering practices rely on modular
and
management
of
complexity.
users/roles
(or
the
actions
of
processes
acting
on
behalf
of
information
systems
providing
information
security
are
of
to
only
contain
security-relevant
code,
it
is
sometimes
decomposition, layering, and minimization to reduce and prior
users/roles)
being
available
to
any
current
users/roles
(or
minimal
Minimizing
the
number
ofthe
nonsecurity
necessary
tofrom
include
nonsecurity
functions
within
isolation
manage size/complexity.
complexity,
thus
producing
software
modules
that are
current
processes)
that
obtain
access
to sharedofsystem
functions
in
security-relevant
components
information
boundary
asthe
an exception.
highly
cohesive
and
loosely
coupled.
This
control
enhancement
applies
when there
explicit
resources
(e.g.,
registers, main
memory,
hardtoare
disks)
after
systems
allows
designers
and
implementers
focus
only those
on
changes
in
information
processing
levels
during
information
resources
have been
back totoinformation
those functions
whichreleased
are necessary
provide thesystems.
desired The
system
operations,
forinexample,
during
multilevel
processing
A
variety
of
technologies
exist
toresources
limit,
or
in
cases,
control
of
information
shared
is some
also commonly
security
capability
(typically
access
enforcement).
By
and
periods
processing
with
information
at
different
eliminate
effects
of denial
service
attacks.
Forprotection.
example,
referred
tothe
as
object reuse
andof
residual
minimizing
nonsecurity
functions
within information
the
isolation
classification
levels
or
security
categories.
Organization-defined
boundary
protection
devices
can
filter
certain
types
of
packets
This
control
does
not
address:
(i)
information
remanence
which
boundaries,
the
amount
of
code
that
must
be
trusted
Restricting
the
of individuals
to approved
launch denial
ofto
service
procedures
mayability
include,
forreduced,
example,
sanitization
to
protect
information
system
components
on
internal
refers
to
residual
representation
of
data
that
has
been
enforce
security
policies
is
thus
contributing
to
attacks
requires
that the mechanisms
used for such attacks are
processes
for electronically
stored
information.
organizational
networks
from
being
directly
affected
by denial
nominally
erased
or removed;
(ii) covert
channels
(including
understandability.
unavailable.
Individuals
of
concern
can
include,
for
example,
Managing
excess
capacity
ensures
that
sufficient
capacity
is
of
service
attacks.
Employing
increased
capacity
and
storageinsiders
and/or timing
channels)
where shared
resources
are
hostile
or
external
adversaries
that
have
successfully
available
tocombined
counter
flooding
attacks.
Managing
excess
capacity
bandwidth
with
service
redundancy
also
reduce
manipulated
violate
information
flow
restrictions;
or (iii)
breached
theto
information
system
and
are
usingmay
the
system
as a
may
include,
for
example,
establishing
selected
usage
Organizations
consider
utilization
and
capacity
of
information
the
susceptibility
to
denial
of
service
attacks.
components
within
information
systems
for
which
there
are
platform
to
launch
cyber
attacks
on
third
parties.
Organizations
priorities,
quotas,
or partitioning.
system
resources
when
risk
denial
service
only
single
users/roles.
can restrict
the ability
ofmanaging
individuals
to from
connect
andoftransmit
due
to
malicious
attacks.
Denial
of
service
attacks
can
arbitrary information on the transport medium (i.e., network,
originate
from external
or internal can
sources.
Information
system
wireless spectrum).
Organizations
also limit
the ability
of
resources
to denialinformation
of service include,
example,
individualssensitive
to use excessive
system for
resources.
physical
disk
storage,
memory,
and CPU
Common
Protection
against
individuals
having
the cycles.
ability to
launch
safeguards
to
prevent
denial
of
service
attacks
related
to
denial of service attacks may be implemented on specific
Priority
protection
helps
prevent
lower-priority
processes
from
storage
utilization
and
capacity
include,
for
example,
instituting
information systems or on boundary devices prohibiting egress
delaying
or interfering
with
the information
system
servicing
disk
quotas,
configuring
information
systems
to automatically
to potential
target
systems.
any
higher-priority
processes.
Quotas
prevent
users
or
alert
administrators
when
specific
storage
capacity
Managed interfaces include, for example, gateways,thresholds
routers,
processes
from
obtaining
more
than
predetermined
amounts
are
reached,
using
file
compression
technologies
to
maximize
firewalls, guards, network-based malicious code analysis and of
resources.
This
control
does
not
apply
to
information
system
available
storage
space,
imposing
separate
partitions
for
virtualization
systems,
orand
encrypted
tunnels
implemented
components
for
which
there
are
only
single
users/roles.
system
and
user
data.
within a security architecture (e.g., routers protecting firewalls
or application gateways residing on protected subnetworks).
Subnetworks that are physically or logically separated from
internal networks are referred to as demilitarized zones or
DMZs. Restricting or prohibiting interfaces within organizational
information systems includes, for example, restricting external
web traffic to designated web servers within managed

Limiting the number of external network connections facilitates


more comprehensive monitoring of inbound and outbound
communications traffic. The Trusted Internet Connection (TIC)
initiative is an example of limiting the number of external
network connections.

This control enhancement applies to both inbound and


outbound network communications traffic. A deny-all, permitby-exception network communications traffic policy ensures
that only those connections which are essential and approved
are allowed.
This control enhancement is implemented within remote
devices (e.g., notebook computers) through configuration
settings
disable are
splitnetworks
tunnelingoutside
in those
and by
External to
networks
of devices,
organizational
preventing
those
configuration
settings
from
being
readily or
control. A proxy server is a server (i.e., information system
configurable
by
users.
This
control
enhancement
is
application)
that acts
as an intermediary
forfrom
clients
requesting
Detecting
outgoing
traffic
internal
implemented
withincommunications
the information
system
by the
detection
information
system
resources
(e.g.,
files,
connections,
web of
actions
that
may
pose
threats
to
external
information
systems
split
tunneling
(or offrom
configuration
settings that
allow split
pages,
or services)
other organizational
servers.
Client
is
sometimes
termed
extrusion
detection.
Extrusion
detection
tunneling)
in
the
remote
device,
and
by
prohibiting
the
requests
established
through
an
initial
connection
to
the
proxy
at
information
system
boundaries
as
partsplit
of managed
connection
if the
remote
device is
using
tunneling.
Split
server
are
evaluated
to
manage
complexity
and
to
provide
interfaces
includes
analysis
incoming
and
tunneling
might
be the
desirable
by of
remote
users
to outgoing
communicate
additional
protection
bysearching
limiting
direct
connectivity.
Web
communications
traffic
for
indications
of
internal
with
local
information
system
resources
such
as
printers/file
content
filtering
devices
are
one ofsystems.
the mostSuch
common
proxy
threats
to
the security
external
threats
servers.
However,
splitof
tunneling
would in
effect
allow
servers
providing
access
to
the
Internet.
Proxy
servers
support
Safeguards
implemented
byindicative
organizations
tothe
prevent
include,
for example,
traffic
of denial
of
service
unauthorized
external
connections,
making
system
more
logging
individual
Transmission
Control
Protocol
(TCP)
sessions
unauthorized
exfiltration
of exfiltration
information
from
information
attacks
andtotraffic
containing
maliciousof
code.
vulnerable
attack
and
to
organizational
and
blocking
specific
Uniform Resource
Locators (URLs),
systems
include,
for example:
(i) remote
strict
adherence
tothat
protocol
This
control
enhancement
provides
determinations
source
information.
Theand
use
of VPNs
for
connections,
when
domain
names,
Internet
Protocol
(IP)
addresses.
Web
formats;
(ii)
monitoring
for
beaconing
from
information
and
destination
addresswith
pairs
represent
authorized/allowed
adequately
provisioned
appropriate
security controls,
proxies
can
configured
with
organization-defined
lists ofmay
systems;
(iii)be
monitoring
for
steganography;
(iv)
disconnecting
communications.
Such
determinations
can
be
based
onfor
provide
the
organization
with
sufficient
assurance
that
itseveral
can
Host-based
boundary
protection
mechanisms
include,
authorized
and
unauthorized
websites.
external
network
interfaces
except
when
explicitly
needed;
(v)
factors
including,
for
example,
the
presence
of
effectively
treat
such
connections
as
non-remote
connections
example,
host-based
firewalls. Information
systemand
components
disassembling
and
reassembling
packet
headers;
(vi)
source/destination
address
in lists
of authorized/allowed
from
the confidentiality
andpairs
integrity
perspective.
VPNs thus
employing
host-based
boundary
protection
mechanisms
Physically
separate
subnetworks
with
managed
interfaces
employing
traffic
profile
analysis
to
detect
deviations
from
the
communications,
the
absence
of
address
pairs
in
lists
of are
provide afor
means
for allowing
non-remote
communications
include,
example,
servers,
workstations,
and
mobile
useful,
for example,
in isolating
computer
network
defenses
volume/types
of traffic
expected
within
organizations
or call
unauthorized/disallowed
pairs,
meeting
more general
rules
paths
from
remote
devices.
Theor
use
of an
adequately
devices.
from
critical
operational
processing
networks
to
prevent
backs
to
command
and
control
centers.
Devices
enforcing
strict
for
authorized/allowed
source/destination
pairs.
provisioned
VPN does not
eliminate the need
for preventing
adversaries
from
discovering
the
analysis
and
forensics
adherence
to
protocol
formats
include,
for
example,
deep
split tunneling.
techniques
of organizations.
packet inspection
firewalls and XML gateways. These devices
verify adherence to protocol formats and specifica