CSA CCM v3.0.1-FedRAMP 5.2.15

FedRAMP CLOU
CCM V3.0
Control Domain Updated Control Specification
Control ID Phys
Application & Interface AIS-01 Applications and programming interfaces (APIs) shall be
Security designed, developed, deployed, and tested in
Application Security accordance with leading industry standards (e.g.,
OWASP for web applications) and adhere to applicable
legal, statutory, or regulatory compliance obligations.
Application & Interface AIS-02 Prior to granting customers access to data, assets, and X
Security information systems, identified security, contractual, and
Customer Access regulatory requirements for customer access shall be
Requirements addressed.
Application & Interface AIS-03 Data input and output integrity routines (i.e., reconciliation
Security and edit checks) shall be implemented for application
Data Integrity interfaces and databases to prevent manual or
systematic processing errors, corruption of data, or
misuse.
Application & Interface AIS-04 Policies and procedures shall be established and
Security maintained in support of data security to include
Data Security / Integrity (confidentiality, integrity and availability) across multiple
system interfaces, jurisdictions and business functions to
prevent improper disclosure, alteration, or destruction.
Audit Assurance & AAC-01 Audit plans shall be developed and maintained to X
Compliance address business process disruptions. Auditing plans
Audit Planning shall focus on reviewing the effectiveness of the
implementation of security operations. All audit activities
must be agreed upon prior to executing any audits.
Audit Assurance & AAC-02 Independent reviews and assessments shall be X

Compliance performed at least annually to ensure that the
Independent Audits organization addresses nonconformities of established
policies, standards, procedures, and compliance
obligations.
Audit Assurance & AAC-03 Organizations shall create and maintain a control X
Compliance framework which captures standards, regulatory, legal,
Information System and statutory requirements relevant for their business
Regulatory Mapping needs. The control framework shall be reviewed at least
annually to ensure changes that could affect the business
processes are reflected.
Business Continuity BCR-01 A consistent unified framework for business continuity X

Management & planning and plan
Operational Resilience development shall be established, documented and
Business Continuity adopted to ensure all
Planning business continuity plans are consistent in addressing
priorities for
testing, maintenance, and information security
requirements.
Requirements for business continuity plans include the
following:
• Defined purpose and scope, aligned with relevant
dependencies
• Accessible to and understood by those who will use
them
• Owned by a named person(s) who is responsible for
their review, update, and approval
• Defined lines of communication, roles, and
responsibilities
• Detailed recovery procedures, manual work-around,
and reference information
• Method for plan invocation
Business Continuity BCR-02 Business continuity and security incident response plans X
Management & shall be subject to testing at planned intervals or upon
Operational Resilience significant organizational or environmental changes.
Business Continuity Incident response plans shall involve impacted customers
Testing (tenant) and other business relationships that represent
critical intra-supply chain business process
dependencies.
Business Continuity BCR-03 Datacenter utilities services and environmental conditions X
Management & (e.g., water, power, temperature and humidity controls,
Operational Resilience telecommunications,and internet connectivity) shall be
Datacenter Utilities / secured, monitored, maintained, and tested for continual
Environmental effectiveness at planned intervals to ensure protection
Conditions from unauthorized interception or damage, and designed
with automated fail-over or other redundancies in the
event of planned or unplanned disruptions.
Business Continuity BCR-04 Information system documentation (e.g., administrator

Management & and user guides, and architecture diagrams) shall be
Operational Resilience made available to authorized personnel to ensure the
Documentation following:
• Configuring, installing, and operating the information
system
• Effectively using the system’s security features
Business Continuity BCR-05 Physical protection against damage from natural causes X
Management & and disasters, as well as deliberate attacks, including fire,
Operational Resilience flood, atmospheric electrical discharge, solar induced
Environmental Risks geomagnetic storm, wind, earthquake, tsunami,
explosion, nuclear accident, volcanic activity, biological
hazard, civil unrest, mudslide, tectonic activity, and other
forms of natural or man-made disaster shall be
anticipated, designed, and have countermeasures
applied.
Business Continuity BCR-06 To reduce the risks from environmental threats, hazards, X
Management & and opportunities for unauthorized access, equipment
Operational Resilience shall be kept away from locations subject to high
Equipment Location probability environmental risks and supplemented by
redundant equipment located at a reasonable distance.
Business Continuity BCR-07 Policies and procedures shall be established, and X

Management & supporting business processes and technical measures
Operational Resilience implemented, for equipment maintenance ensuring
Equipment continuity and availability of operations and support
Maintenance personnel.
Business Continuity BCR-08 Protection measures shall be put into place to react to X
Management & natural and man-made threats based upon a
Operational Resilience geographically-specific Business Impact Assessment
Equipment Power
Failures
Business Continuity BCR-09 There shall be a defined and documented method for X
Management & determining the impact of any disruption to the
Operational Resilience organization (cloud provider, cloud consumer) that must
Impact Analysis incorporate the following:
• Identify critical products and services
• Identify all dependencies, including processes,
applications, business partners, and third party service
providers
• Understand threats to critical products and services
• Determine impacts resulting from planned or unplanned
disruptions and how these vary over time
• Establish the maximum tolerable period for disruption
• Establish priorities for recovery
• Establish recovery time objectives for resumption of
critical products and services within their maximum
tolerable period of disruption
• Estimate the resources required for resumption
Business Continuity BCR-10 Policies and procedures shall be established, and
Management & supporting business
Operational Resilience processes and technical measures implemented, for
Policy appropriate IT
governance and service management to ensure
appropriate planning,
delivery and support of the organization's IT capabilities
supporting
business functions, workforce, and/or customers based
on industry
acceptable standards (i.e., ITIL v4 and COBIT 5).
Additionally, policies
and procedures shall include defined roles and
responsibilities
supported by regular workforce training.
Business Continuity BCR-11 Policies and procedures shall be established, and

Management & supporting business processes and technical measures
Operational Resilience implemented, for defining and adhering to the retention
Retention Policy period of any critical asset as per established policies and
procedures, as well as applicable legal, statutory, or
regulatory compliance obligations. Backup and recovery
measures shall be incorporated as part of business
continuity planning and tested accordingly for
effectiveness.
Change Control & CCC-01 Policies and procedures shall be established, and X
Configuration supporting business processes and technical measures
Management implemented, to ensure the development and/or
New Development / acquisition of new data, physical or virtual applications,
Acquisition infrastructure network and systems components, or any
corporate, operations and/or datacenter facilities have
been pre-authorized by the organization's business
leadership or other accountable business role or function.
Change Control & CCC-02 External business partners shall adhere to the same
Configuration policies and procedures for change management,
Management release, and testing as internal developers within the
Outsourced organization (e.g. ITIL service management processes).
Development
Change Control & CCC-03 Organization shall follow a defined quality change control
Configuration and testing process (e.g. ITIL Service Management) with
Management established baselines, testing, and release standards that
Quality Testing focus on system availability, confidentiality, and integrity
of systems and services.
Change Control & CCC-04 Policies and procedures shall be established, and
Configuration supporting business processes and technical measures
Management implemented, to restrict the installation of unauthorized
Unauthorized Software software on organizationally-owned or managed user
Installations end-point devices (e.g., issued workstations, laptops, and
mobile devices) and IT infrastructure network and
systems components.
Change Control & CCC-05 Policies and procedures shall be established for
Configuration managing the risks associated with applying changes to:
Management • business-critical or customer (tenant)-impacting
Production Changes (physical and virtual) applications and system-system
interface (API) designs and configurations
• infrastructure network and systems components
Technical measures shall be implemented to provide
assurance that all changes directly correspond to a
registered change request, business-critical or customer
(tenant) , and/or authorization by, the customer (tenant)
as per agreement (SLA) prior to deployment.
Data Security & DSI-01 Data and objects containing data shall be assigned a
Information Lifecycle classification by the data owner based on data type,
Management value, sensitivity, and criticality to the organization.
Classification
Data Security & DSI-02 Policies and procedures shall be established to inventory,
Information Lifecycle document, and maintain data flows for data that is
Management resident (permanently or temporarily) within the service's
Data Inventory / Flows applications and infrastructure network and systems. In
particular, providers shall ensure that data that is subject
to geographic residency requirements not be migrated
beyond its defined bounds.
Data Security & DSI-03 Data related to electronic commerce (e-commerce) that
Information Lifecycle traverses public networks shall be appropriately classified
Management and protected from fraudulent activity, unauthorized
eCommerce disclosure, or modification in such a manner to prevent
Transactions contract dispute and compromise of data.
Data Security & DSI-04 Policies and procedures shall be established for the
Information Lifecycle labeling, handling, and security of data and objects which
Management contain data. Mechanisms for label inheritance shall be
Handling / Labeling / implemented for objects that act as aggregate containers
Security Policy for data.
Data Security & DSI-05 Production data shall not be replicated or used in non-
Information Lifecycle production environments.
Management
Non-Production Data
Data Security & DSI-06 All data shall be designated with stewardship, with
Information Lifecycle assigned responsibilities defined, documented, and
Management communicated.
Ownership /
Stewardship
Data Security & DSI-07 Any use of customer data in non-production
Information Lifecycle environments requires explicit, documented approval
Management from all customers whose data is affected, and must
Secure Disposal comply with all legal and regulatory requirements for
scrubbing of sensitive data elements.
Datacenter Security DCS-01 Assets must be classified in terms of business criticality, X

Asset Management service-level expectations, and operational continuity
requirements. A complete inventory of business-critical
assets located at all sites and/or geographical locations
and their usage over time shall be maintained and
updated regularly, and assigned ownership by defined
roles and responsibilities.
Datacenter Security DCS-02 Physical security perimeters (e.g., fences, walls, barriers, X
Controlled Access guards, gates, electronic surveillance, physical
Points authentication mechanisms, reception desks, and
security patrols) shall be implemented to safeguard
sensitive data and information systems.
Datacenter Security DCS-03 Automated equipment identification shall be used as a X

Equipment method of connection authentication. Location-aware
Identification technologies may be used to validate connection
authentication integrity based on known equipment
location.
Datacenter Security DCS-04 Authorization must be obtained prior to relocation or X
Off-Site Authorization transfer of hardware, software, or data to an offsite
premises.
Datacenter Security DCS-05 Policies and procedures shall be established for the X
Off-Site Equipment secure disposal of equipment (by asset type) used
outside the organization's premises. This shall include a
wiping solution or destruction process that renders
recovery of information impossible. The erasure shall
consist of a full overwrite of the drive to ensure that the
erased drive is released to inventory for reuse and
deployment, or securely stored until it can be destroyed.
Datacenter Security DCS-06 Policies and procedures shall be established, and X
Policy supporting business processes implemented, for
maintaining a safe and secure working environment in
offices, rooms, facilities, and secure areas storing
sensitive information.
Datacenter Security - DCS-07 Ingress and egress to secure areas shall be constrained X
Secure Area and monitored by physical access control mechanisms to
Authorization ensure that only authorized personnel are allowed
access.
Datacenter Security DCS-08 Ingress and egress points such as service areas and X
Unauthorized Persons other points where unauthorized personnel may enter the
Entry premises shall be monitored, controlled and, if possible,
isolated from data storage and processing facilities to
prevent unauthorized data corruption, compromise, and
loss.
Datacenter Security DCS-09 Physical access to information assets and functions by X
User Access users and support personnel shall be restricted.
Encryption & Key EKM-01 Keys must have identifiable owners (binding keys to
Management identities) and there shall be key management policies.
Entitlement
Encryption & Key EKM-02 Policies and procedures shall be established for the
Management management of cryptographic keys in the service's
Key Generation cryptosystem (e.g., lifecycle management from key
generation to revocation and replacement, public key
infrastructure, cryptographic protocol design and
algorithms used, access controls in place for secure key
generation, and exchange and storage including
segregation of keys used for encrypted data or sessions).
Upon request, provider shall inform the customer (tenant)
of changes within the cryptosystem, especially if the
customer (tenant) data is used as part of the service,
and/or the customer (tenant) has some shared
responsibility over implementation of the control.
Encryption & Key EKM-03 Policies and procedures shall be established, and
Management supporting business processes and technical measures
Sensitive Data implemented, for the use of encryption protocols for
Protection protection of sensitive data in storage (e.g., file servers,
databases, and end-user workstations), data in use
(memory), and data in transmission (e.g., system
interfaces, over public networks, and electronic
messaging) as per applicable legal, statutory, and
regulatory compliance obligations.
Encryption & Key EKM-04 Platform and data-appropriate encryption (e.g., AES-256)
Management in open/validated formats and standard algorithms shall
Storage and Access be required. Keys shall not be stored in the cloud (i.e. at
the cloud provider in question), but maintained by the
cloud consumer or trusted key management provider.
Key management and key usage shall be separated
Governance and Risk GRM-01 Baseline
duties. security requirements shall be established for X
Management developed or acquired, organizationally-owned or
Baseline Requirements managed, physical or virtual, applications and
infrastructure system and network components that
comply with applicable legal, statutory and regulatory
compliance obligations. Deviations from standard
baseline configurations must be authorized following
change management policies and procedures prior to
deployment, provisioning, or use. Compliance with
security baseline requirements must be reassessed at
least annually unless an alternate frequency has been
established and authorized based on business need.
Governance and Risk GRM-02 Risk assessments associated with data governance
Management requirements shall be
Data Focus Risk conducted at planned intervals and shall consider the
Assessments following:
• Awareness of where sensitive data is stored and
transmitted across
applications, databases, servers, and network
infrastructure
• Compliance with defined retention periods and end-of-
life disposal requirements
• Data classification and protection from unauthorized
use, access, loss, destruction, and falsification
Governance and Risk GRM-03 Managers are responsible for maintaining awareness of,
Management and complying with, security policies, procedures, and
Management Oversight standards that are relevant to their area of responsibility.
Governance and Risk GRM-04 An Information Security Management Program (ISMP) X

Management shall be developed, documented, approved, and
Management Program implemented that includes administrative, technical, and
physical safeguards to protect assets and data from loss,
misuse, unauthorized access, disclosure, alteration, and
destruction. The security program shall include, but not
be limited to, the following areas insofar as they relate to
the characteristics of the business:
• Risk management
• Security policy
• Organization of information security
• Asset management
• Human resources security
• Physical and environmental security
• Communications and operations management
• Access control
• Information systems acquisition, development, and
maintenance
Governance and Risk GRM-05 Executive and line management shall take formal action
Management to support
Management information security through clearly-documented direction
Support/Involvement and
commitment, and shall ensure the action has been
assigned.
Governance and Risk GRM-06 Information security policies and procedures shall be
Management established and
Policy made readily available for review by all impacted
personnel and external
business relationships. Information security policies must
be
authorized by the organization's business leadership (or
other
accountable business role or function) and supported by
a strategic
business plan and an information security management
program inclusive of defined information security roles
and responsibilities for business leadership.
Governance and Risk GRM-07 A formal disciplinary or sanction policy shall be
Management established for employees who have violated security
Policy Enforcement policies and procedures. Employees shall be made
aware of what action might be taken in the event of a
violation, and disciplinary measures must be stated in the
policies and procedures.
Governance and Risk GRM-08 Risk assessment results shall include updates to security X
Management policies,
Policy Impact on Risk procedures, standards, and controls to ensure that they
Assessments remain relevant
and effective.
Governance and Risk GRM-09 The organization's business leadership (or other
Management accountable business
Policy Reviews role or function) shall review the information security
policy at
planned intervals or as a result of changes to the
organization to
ensure its continuing alignment with the security strategy,
effectiveness, accuracy, relevance, and applicability to
legal,
statutory, or regulatory compliance obligations.
Governance and Risk GRM-10 Aligned with the enterprise-wide framework, formal risk X
Management assessments shall be performed at least annually or at
Risk Assessments planned intervals, (and in conjunction with any changes
to information systems) to determine the likelihood and
impact of all identified risks using qualitative and
quantitative methods. The likelihood and impact
associated with inherent and residual risk shall be
determined independently, considering all risk categories
(e.g., audit results, threat and vulnerability analysis, and
regulatory compliance).
Governance and Risk GRM-11 Risks shall be mitigated to an acceptable level. X

Management Acceptance levels based on risk criteria shall be
Risk Management established and documented in accordance with
Framework reasonable resolution time frames and stakeholder
approval.
Human Resources HRS-01 Upon termination of workforce personnel and/or X

Asset Returns expiration of external business relationships, all
organizationally-owned assets shall be returned within an
established period.
Human Resources HRS-02 Pursuant to local laws, regulations, ethics, and
Background Screening contractual constraints, all employment candidates,
contractors, and third parties shall be subject to
background verification proportional to the data
classification to be accessed, the business requirements,
and acceptable risk.
Human Resources HRS-03 Employment agreements shall incorporate provisions X
Employment and/or terms for adherence to established information
Agreements governance and security policies and must be signed by
newly hired or on-boarded workforce personnel (e.g., full
or part-time employee or contingent staff) prior to
granting workforce personnel user access to corporate
facilities, resources, and assets.
Human Resources HRS-04 Roles and responsibilities for performing employment
Employment termination or change in employment procedures shall be
Termination assigned, documented, and communicated.
Human Resources HRS-05 Policies and procedures shall be established, and X

Mobile Device supporting business
Management processes and technical measures implemented, to
manage business risks associated with permitting mobile
device access to corporate resources and may require
the implementation of higher assurance compensating
controls and acceptable-use policies and procedures
(e.g., mandated security training, stronger identity,
entitlement and access controls, and device monitoring).
Human Resources HRS-06 Requirements for non-disclosure or confidentiality

Non-Disclosure agreements reflecting
Agreements the organization's needs for the protection of data and
operational
details shall be identified, documented, and reviewed at
Human Resources HRS-07 Roles and responsibilities of contractors, employees, and X
planned
Roles / Responsibilities third-party
intervals.
users shall be documented as they relate to information
assets and
security.
Human Resources HRS-08 Policies and procedures shall be established, and

Technology Acceptable supporting business processes and technical measures
Use implemented, for defining allowances and conditions for
permitting usage of organizationally-owned or managed
user end-point devices (e.g., issued workstations,
laptops, and mobile devices) and IT infrastructure
network and systems components. Additionally, defining
allowances and conditions to permit usage of personal
mobile devices and associated applications with access
to corporate resources (i.e., BYOD) shall be considered
and incorporated as appropriate.
Human Resources HRS-09 A security awareness training program shall be X
Training / Awareness established for all
contractors, third-party users, and employees of the
organization and
mandated when appropriate. All individuals with access
to organizational
data shall receive appropriate awareness training and
regular updates
in organizational procedures, processes, and policies
Human Resources HRS-10 relating
All to their
personnel shall be made aware of their roles and X
User Responsibility professional function
responsibilities for: relative to the organization.
• Maintaining awareness and compliance with
established policies and procedures and applicable legal,
statutory, or regulatory compliance obligations.
• Maintaining a safe and secure working environment
Human Resources HRS-11 Policies and procedures shall be established to require X

Workspace that unattended workspaces do not have openly visible
(e.g., on a desktop) sensitive documents and user
computing sessions are disabled after an established
period of inactivity.
Identity & Access IAM-01 Access to, and use of, audit tools that interact with the X
Management organization's information systems shall be appropriately
Audit Tools Access segmented and restricted to prevent compromise and
misuse of log data.
Identity & Access IAM-02 User access policies and procedures shall be X
Management established, and supporting business processes and
Credential Lifecycle / technical measures implemented, for ensuring
Provision Management appropriate identity, entitlement, and access
management for all internal corporate and customer
(tenant) users with access to data and organizationally-
owned or managed (physical and virtual) application
interfaces and infrastructure network and systems
components. These policies, procedures, processes, and
measures must incorporate the following:
• Procedures and supporting roles and responsibilities
for provisioning and de-provisioning user account
entitlements following the rule of least privilege based on
job function (e.g., internal employee and contingent staff
personnel changes, customer-controlled access,
suppliers' business relationships, or other third-party
business relationships)
• Business case considerations for higher levels of
assurance and multi-factor authentication secrets (e.g.,
management interfaces, key generation, remote access,
segregation of duties, emergency access, large-scale
provisioning or geographically-distributed deployments,
and personnel redundancy for critical systems)
• Access segmentation to sessions and data in multi-
tenant architectures by any third party (e.g., provider
and/or other customer (tenant))
• Identity trust verification and service-to-service
application (API) and information processing
interoperability (e.g., SSO and federation)
• Account credential lifecycle management from
instantiation through revocation
• Account credential and/or identity store minimization or
re-use when feasible
• Authentication, authorization, and accounting (AAA)
rules for access to data and sessions (e.g., encryption
and strong/multi-factor, expireable, non-shared
authentication secrets)
Identity & Access IAM-03 User access toand
• Permissions diagnostic and capabilities
supporting configurationforports shall
customer X
Management be restricted to authorized individuals and applications.
(tenant) controls over authentication, authorization, and
Diagnostic / accounting (AAA) rules for access to
Configuration Ports data and sessions
Access • Adherence to applicable legal, statutory, or regulatory
compliance requirements
Identity & Access IAM-04 Policies and procedures shall be established to store and
Management manage identity information about every person who
Policies and accesses IT infrastructure and to determine their level of
Procedures access. Policies shall also be developed to control
access to network resources based on user identity.
Identity & Access IAM-05 User access policies and procedures shall be X
Management established, and supporting business processes and
Segregation of Duties technical measures implemented, for restricting user
access as per defined segregation of duties to address
business risks associated with a user-role conflict of
interest.
Identity & Access IAM-06 Access to the organization's own developed applications,
Management program, or object source code, or any other form of
Source Code Access intellectual property (IP), and use of proprietary software
Restriction shall be appropriately restricted following the rule of least
privilege based on job function as per established user
access policies and procedures.
Identity & Access IAM-07 The identification, assessment, and prioritization of risks X
Management posed by
Third Party Access business processes requiring third-party access to the
organization's
information systems and data shall be followed by
coordinated
application of resources to minimize, monitor, and
measure likelihood
and impact of unauthorized or inappropriate access.
Compensating
controls derived from the risk analysis shall be
implemented prior to
provisioning access.
Identity & Access IAM-08 Policies and procedures are established for permissible
Management storage and
Trusted Sources access of identities used for authentication to ensure
identities are
only accessible based on rules of least privilege and
replication
limitation only to users explicitly defined as business
necessary.
Identity & Access IAM-09 Provisioning user access (e.g., employees, contractors,
Management customers
User Access (tenants), business partners and/or supplier relationships)
Authorization to data and
organizationally-owned or managed (physical and virtual)
applications,
infrastructure systems, and network components shall be
authorized by
the organization's management prior to access being
granted and
appropriately restricted as per established policies and
procedures.
Upon request, provider shall inform customer (tenant) of
this user
access, especially if customer (tenant) data is used as
part the service
and/or customer (tenant) has some shared responsibility
over
implementation of control.
Identity & Access IAM-10 User access shall be authorized and revalidated for X
Management entitlement appropriateness, at planned intervals, by the
User Access Reviews organization's business leadership or other accountable
business role or function supported by evidence to
demonstrate the organization is adhering to the rule of
least privilege based on job function. For identified
access violations, remediation must follow established
user access policies and procedures.
Identity & Access IAM-11 Timely de-provisioning (revocation or modification) of X
Management user access to
User Access data and organizationally-owned or managed (physical
Revocation and virtual)
applications, infrastructure systems, and network
components, shall be
implemented as per established policies and procedures
and based on
user's change in status (e.g., termination of employment
or other
business relationship, job change or transfer). Upon
Identity & Access IAM-12 request, provider or customer (tenant) user account
Internal corporate
Management shall inform customer
credentials shall (tenant)as
be restricted of per
these
thechanges,
following,
User ID Credentials especially if customer
ensuring appropriate identity, entitlement, and access
(tenant)
managementdata is used
and as part the service
in accordance and/or customer
with established policies
(tenant) has
and procedures:
some shared
• Identity trustresponsibility overservice-to-service
verification and implementation of
control.
interoperability (e.g., SSO and Federation)
• Account credential lifecycle management from
instantiation through revocation
• Account credential and/or identity store minimization or
re-use when feasible
• Adherence to industry acceptable and/or regulatory
compliant authentication, authorization, and accounting
(AAA) rules (e.g., strong/multi-factor, expireable, non-
shared authentication secrets)
Identity & Access IAM-13 Utility programs capable of potentially overriding system,
Management object, network, virtual machine, and application controls
Utility Programs shall be restricted.
Access
Infrastructure & IVS-01 Higher levels of assurance are required for protection, X
Virtualization Security retention, and
Audit Logging / lifecyle management of audit logs, adhering to applicable
Intrusion Detection legal,
statutory or regulatory compliance obligations and
providing unique user
access accountability to detect potentially suspicious
network
behaviors and/or file integrity anomalies, and to support
forensic
investigative capabilities in the event of a security breach.
Infrastructure & IVS-02 The provider shall ensure the integrity of all virtual
Virtualization Security machine images at all times. Any changes made to virtual
Change Detection machine images must be logged and an alert raised
regardless of their running state (e.g. dormant, off, or
running). The results of a change or move of an image
and the subsequent validation of the image's integrity
must be immediately available to customers through
electronic methods (e.g. portals or alerts).
Infrastructure & IVS-03 A reliable and mutually agreed upon external time source
Virtualization Security shall be used to synchronize the system clocks of all
Clock Synchronization relevant information processing systems to facilitate
tracing and reconstitution of activity timelines.
Infrastructure & IVS-04 The availability, quality, and adequate capacity and
Virtualization Security resources shall be planned, prepared, and measured to
Information System deliver the required system performance in accordance
Documentation with legal, statutory, and regulatory compliance
obligations. Projections of future capacity requirements
shall be made to mitigate the risk of system overload.
Infrastructure & IVS-05 Implementers shall ensure that the security vulnerability
Virtualization Security assessment
Management - tools or services accommodate the virtualization
Vulnerability technologies used (e.g.
Management virtualization aware).
Infrastructure & IVS-06 Network environments and virtual instances shall be X
Virtualization Security designed and configured to restrict and monitor traffic
Network Security between trusted and untrusted connections. These
configurations shall be reviewed at least annually, and
supported by a documented justification for use for all
allowed services, protocols, and ports, and by
compensating controls.
Infrastructure & IVS-07 Each operating system shall be hardened to provide only
Virtualization Security necessary ports, protocols, and services to meet
OS Hardening and business needs and have in place supporting technical
Base Conrols controls such as: antivirus, file integrity monitoring, and
logging as part of their baseline operating build standard
or template.
Infrastructure & IVS-08 Production and non-production environments shall be X
Virtualization Security separated to prevent unauthorized access or changes to
Production / Non- information assets. Separation of the environments may
Production include: stateful inspection firewalls, domain/realm
Environments authentication sources, and clear segregation of duties
for personnel accessing these environments as part of
their job duties.
Infrastructure & IVS-09 Multi-tenant organizationally-owned or managed X
Virtualization Security (physical and virtual) applications, and infrastructure
Segmentation system and network components, shall be designed,
developed, deployed and configured such that provider
and customer (tenant) user access is appropriately
segmented from other tenant users, based on the
following considerations:
• Established policies and procedures
• Isolation of business critical assets and/or sensitive
user data, and sessions that mandate stronger internal
controls and high levels of assurance
• Compliance with legal, statutory and regulatory
compliance obligations
Infrastructure & IVS-10 Secured and encrypted communication channels shall be

Virtualization Security used when
VM Security - vMotion migrating physical servers, applications, or data to
Data Protection virtualized servers
and, where possible, shall use a network segregated
from
production-level networks for such migrations.
Infrastructure & IVS-11 Access to all hypervisor management functions or
Virtualization Security administrative consoles for systems hosting virtualized
VMM Security - systems shall be restricted to personnel based upon the
Hypervisor Hardening principle of least privilege and supported through
technical controls (e.g., two-factor authentication, audit
trails, IP address filtering, firewalls, and TLS
encapsulated communications to the administrative
Infrastructure & IVS-12 Policies
consoles).and procedures shall be established, and X
Virtualization Security supporting business processes and technical measures
Wireless Security implemented, to protect wireless network environments,
including the following:
• Perimeter firewalls implemented and configured to
restrict unauthorized traffic
• Security settings enabled with strong encryption for
authentication and transmission, replacing vendor default
settings (e.g., encryption keys, passwords, and SNMP
community strings)
• User access to wireless network devices restricted to
authorized personnel
• The capability to detect the presence of unauthorized
(rogue) wireless network devices for a timely disconnect
from the network
Infrastructure & IVS-13 Network architecture diagrams shall clearly identify high-
Virtualization Security risk environments and data flows that may have legal
Network Architecture compliance impacts. Technical measures shall be
implemented and shall apply defense-in-depth
techniques (e.g., deep packet analysis, traffic throttling,
and black-holing) for detection and timely response to
network-based attacks associated with anomalous
ingress or egress traffic patterns (e.g., MAC spoofing and
ARP poisoning attacks) and/or distributed denial-of-
service (DDoS) attacks.
Interoperability & IPY-01 The provider shall use open and published APIs to
Portability ensure support for interoperability between components
APIs and to facilitate migrating applications.
Interoperability & IPY-02 All structured and unstructured data shall be available to
Portability the customer and provided to them upon request in an
Data Request industry-standard format (e.g., .doc, .xls, .pdf, logs, and
flat files)
Interoperability & IPY-03 Policies, procedures, and mutually-agreed upon X
Portability provisions and/or terms shall be established to satisfy
Policy & Legal customer (tenant) requirements for service-to-service
interoperability, and portability for application
development and information exchange, usage, and
integrity persistence.
Interoperability & IPY-04 The provider shall use secure (e.g., non-clear text and
Portability authenticated) standardized network protocols for the
Standardized Network import and export of data and to manage the service, and
Protocols shall make available a document to consumers (tenants)
detailing the relevant interoperability and portability
standards that are involved.
Interoperability & IPY-05 The provider shall use an industry-recognized
Portability virtualization platform and standard virtualization formats
Virtualization (e.g., OVF) to help ensure interoperability, and shall have
documented custom changes made to any hypervisor in
use and all solution-specific virtualization hooks available
for customer review.
Mobile Security MOS-01 Anti-malware awareness training, specific to mobile X
Anti-Malware devices, shall be included in the provider's information
security awareness training.
Mobile Security MOS-02 A documented list of approved application stores has X
Application Stores been defined as acceptable for mobile devices accessing
or storing provider managed data.
Mobile Security MOS-03 The company shall have a documented policy prohibiting
Approved Applications the installation of non-approved applications or approved
applications not obtained
Mobile Security MOS-04 through
The BYOD a pre-identified application
policy and supporting store.
awareness training X
Approved Software for clearly states the approved applications, application
BYOD stores, and application extensions and plugins that may
Mobile Security MOS-05 be
Theused for BYOD
provider usage.
shall have a documented mobile device X
Awareness and policy that includes a documented definition for mobile
Training devices and the acceptable usage and requirements for
all mobile devices. The provider shall post and
communicate the policy and requirements through the
company's security awareness and training program.
Mobile Security MOS-06 All cloud-based services used by the company's mobile
Cloud Based Services devices or BYOD
shall be pre-approved for usage and the storage of
Mobile Security MOS-07 company business
The company shall have a documented application
Compatibility data.
validation process to test for mobile device, operating
system, and application compatibility issues.
Mobile Security MOS-08 The BYOD policy shall define the device and eligibility X
Device Eligibility requirements to allow for BYOD usage.
Mobile Security MOS-09 An inventory of all mobile devices used to store and X
Device Inventory access company data shall be kept and maintained. All
changes to the status of these devices (i.e., operating
system and patch levels, lost or decommissioned status,
and to whom the device is assigned or approved for
usage (BYOD)) will be included for each device in the
inventory.
Mobile Security MOS-10 A centralized, mobile device management solution shall X
Device Management be deployed to all mobile devices permitted to store,
transmit, or process customer data.
Mobile Security MOS-11 The mobile device policy shall require the use of
Encryption encryption either for
the entire device or for data identified as sensitive on all
Mobile Security MOS-12 mobile
The mobile device policy shall prohibit the circumvention X
Jailbreaking and devices
of built-inand shall be
security enforced
controls throughdevices
on mobile technology
(e.g.
Rooting controls.
jailbreaking or rooting) and shall enforce the prohibition
through detective and preventative controls on the device
or through a centralized device management system (e.g.
mobile device management).
Mobile Security MOS-13 The BYOD policy includes clarifying language for the
Legal expectation of privacy, requirements for litigation, e-
discovery, and legal holds. The BYOD policy shall clearly
state the expectations regarding the loss of non-company
data in the case a wipe of the device is required.
Mobile Security MOS-14 BYOD and/or company-owned devices are configured to
Lockout Screen require an automatic lockout screen, and the requirement
shall be enforced through technical controls.
Mobile Security MOS-15 Changes to mobile device operating systems, patch
Operating Systems levels, and/or applications shall be managed through the
company's change management processes.
Mobile Security MOS-16 Password policies, applicable to mobile devices, shall be
Passwords documented and enforced through technical controls on
all company devices or devices approved for BYOD
usage, and shall prohibit the changing of password/PIN
lengths and authentication requirements.
Mobile Security MOS-17 The mobile device policy shall require the BYOD user to
Policy perform backups of data, prohibit the usage of
unapproved application stores, and require the use of
anti-malware software (where supported).
Mobile Security MOS-18 All mobile devices permitted for use through the company
Remote Wipe BYOD program or a company-assigned mobile device
shall allow for remote wipe by the company's corporate IT
or shall have all company-provided data wiped by the
company's corporate IT.
Mobile Security MOS-19 Mobile devices connecting to corporate networks, or
Security Patches storing and accessing company information, shall allow
for remote software version/patch validation. All mobile
devices shall have the latest available security-related
patches installed upon general release by the device
manufacturer or carrier and authorized IT personnel shall
be able to perform these updates remotely.
Mobile Security MOS-20 The BYOD policy shall clarify the systems and servers
Users allowed for use or access on a BYOD-enabled device.
Security Incident SEF-01 Points of contact for applicable regulation authorities, X
Management, E- national and local law enforcement, and other legal
Discovery & Cloud jurisdictional authorities shall be maintained and regularly
Forensics updated (e.g., change in impacted-scope and/or a
Contact / Authority change in any compliance obligation) to ensure direct
Maintenance compliance liaisons have been established and to be
prepared for a forensic investigation requiring rapid
engagement with law enforcement.
Security Incident SEF-02 Policies and procedures shall be established, and X

Management, E- supporting business
Discovery & Cloud processes and technical measures implemented, to
Forensics triage security-related events and ensure timely and
Incident Management thorough incident management, as per established IT
service management policies and procedures.
Security Incident SEF-03 Workforce personnel and external business relationships X

Management, E- shall be informed of their responsibilities and, if required,
Discovery & Cloud shall consent and/or contractually agree to report all
Forensics information security events in a timely manner.
Incident Reporting Information security events shall be reported through
predefined communications channels in a timely manner
adhering to applicable legal, statutory, or regulatory
compliance obligations.
Security Incident SEF-04 Proper forensic procedures, including chain of custody, X
Management, E- are required for the presentation of evidence to support
Discovery & Cloud potential legal action subject to the relevant jurisdiction
Forensics after an information security incident. Upon notification,
Incident Response customers and/or other external business partners
Legal Preparation impacted by a security breach shall be given the
opportunity to participate as is legally permissible in the
forensic investigation.
Security Incident SEF-05 Mechanisms shall be put in place to monitor and quantify X
Management, E- the types, volumes, and costs of information security
Discovery & Cloud incidents.
Forensics
Incident Response
Metrics
Supply Chain STA-01 Providers shall inspect, account for, and work with their
Management, cloud supply-chain partners to correct data quality errors
Transparency and and associated risks. Providers shall design and
Accountability implement controls to mitigate and contain data security
Data Quality and risks through proper separation of duties, role-based
Integrity access, and least-privilege access for all personnel within
their supply chain.
Supply Chain STA-02 The provider shall make security incident information
Management, available to all affected customers and providers
Transparency and periodically through electronic methods (e.g. portals).
Accountability
Incident Reporting
Supply Chain STA-03 Business-critical or customer (tenant) impacting (physical X
Management, and virtual) application and system-system interface
Transparency and (API) designs and configurations, and infrastructure
Accountability network and systems components, shall be designed,
Network / Infrastructure developed, and deployed in accordance with mutually
Services agreed-upon service and capacity-level expectations, as
well as IT governance and service management policies
and procedures.
Supply Chain STA-04 The provider shall perform annual internal assessments X
Management, of conformance to, and effectiveness of, its policies,
Transparency and procedures, and supporting measures and metrics.
Accountability
Provider Internal
Assessments
Supply Chain STA-05 Supply chain agreements (e.g., SLAs) between providers X
Management, and customers (tenants) shall incorporate at least the
Transparency and following mutually-agreed upon provisions and/or terms:
Accountability • Scope of business relationship and services offered
Supply Chain (e.g., customer (tenant) data acquisition, exchange and
Agreements usage, feature sets and functionality, personnel and
infrastructure network and systems components for
service delivery and support, roles and responsibilities of
provider and customer (tenant) and any subcontracted or
outsourced business relationships, physical geographical
location of hosted services, and any known regulatory
compliance considerations)
• Information security requirements, provider and
customer (tenant) primary points of contact for the
duration of the business relationship, and references to
detailed supporting and relevant business processes and
technical measures implemented to enable effectively
governance, risk management, assurance and legal,
statutory and regulatory compliance obligations by all
impacted business relationships
• Notification and/or pre-authorization of any changes
controlled by the provider with customer (tenant) impacts
• Timely notification of a security incident (or confirmed
breach) to all customers (tenants) and other business
relationships impacted (i.e., up- and down-stream
impacted supply chain)
• Assessment and independent verification of
compliance with agreement provisions and/or terms (e.g.,
industry-acceptable certification, attestation audit
report, or equivalent forms of assurance) without posing
an unacceptable business risk of exposure to the
organization being assessed
• Expiration of the business relationship and treatment of
customer (tenant) data impacted
• Customer (tenant) service-to-service application (API)
and data interoperability and portability requirements for
application development and information exchange,
Supply Chain STA-06 Providers
usage, andshall review
integrity the risk management and
persistence X
Management, governance processes of their partners so that practices
Transparency and are consistent and aligned to account for risks inherited
Accountability from other members of that partner's cloud supply chain.
Supply Chain
Governance Reviews
Supply Chain STA-07 Policies and procedures shall be implemented to ensure X

Management, the consistent review of service agreements (e.g., SLAs)
Transparency and between providers and customers (tenants) across the
Accountability relevant supply chain (upstream/downstream).
Supply Chain Metrics
Reviews shall performed at least annually and identity
non-conformance to established agreements. The
reviews should result in actions to address service-level
conflicts or inconsistencies resulting from disparate
supplier relationships.
Supply Chain STA-08 Providers shall assure reasonable information security X
Management, across their information supply chain by performing an
Transparency and annual review. The review shall include all partners/third
Accountability party-providers upon which their information supply chain
Third Party depends on.
Assessment
Supply Chain STA-09 Third-party service providers shall demonstrate X

Management, compliance with information security and confidentiality,
Transparency and access control, service definitions, and delivery level
Accountability agreements included in third-party contracts. Third-party
Third Party Audits reports, records, and services shall undergo audit and
review at least annually to govern and maintain
compliance with the service delivery agreements.
Threat and TVM-01 Policies and procedures shall be established, and

Vulnerability supporting business processes and technical measures
Management implemented, to prevent the execution of malware on
Anti-Virus / Malicious organizationally-owned or managed user end-point
Software devices (i.e., issued workstations, laptops, and mobile
devices) and IT infrastructure network and systems
components.
Threat and TVM-02 Policies and procedures shall be established, and

Vulnerability supporting processes and technical measures
Management implemented, for timely detection of vulnerabilities within
Vulnerability / Patch organizationally-owned or managed applications,
Management infrastructure network and system components (e.g.
network vulnerability assessment, penetration testing) to
ensure the efficiency of implemented security controls. A
risk-based model for prioritizing remediation of identified
vulnerabilities shall be used. Changes shall be managed
through a change management process for all vendor-
supplied patches, configuration changes, or changes to
the organization's internally developed software. Upon
request, the provider informs customer (tenant) of
policies and procedures and identfied weaknesses
especially if customer (tenant) data is used as part the
service and/or customer (tenant) has some shared
responsibility over implementation of control.
Threat and Vulnerbility TVM-03 Policies and procedures shall be established, and
Management supporting business processes and technical measures
Mobile Code implemented, to prevent the execution of unauthorized
mobile code, defined as software transferred between
systems over a trusted or untrusted network and
executed on a local system without explicit installation or
execution by the recipient, on organizationally-owned or
managed user end-point devices (e.g., issued
workstations, laptops, and mobile devices) and IT
infrastructure network and systems components.
© Copyright 2014 Cloud Security Alliance - All rights reserved. You may download, store,
display on your computer, view, print, and link to the Cloud Security Alliance “Cloud Controls Matrix
(CCM) Version 3.0.1” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud
Controls Matrix v3.0.1 may be used solely for your personal, informational, non-commercial use; (b)
the Cloud Controls Matrix v3.0.1 may not be modified or altered in any way; (c) the Cloud Controls
Matrix v3.0.1 may not be redistributed; and (d) the trademark, copyright or other notices may not be
removed. You may quote portions of the Cloud Controls Matrix v3.0.1 as permitted by the Fair Use
provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud
Security Alliance Cloud Controls Matrix Version 3.0.1 (2014). If you are interested in obtaining a
license to this material for other usages not addresses in the copyright notice, please contact
info@cloudsecurityalliance.org.
FedRAMP CLOUD CONTROLS MATRIX v3.0.1 Candidate Mapping
Cloud Service Delivery Model

Architectural Relevance
Applicability
Corp Gov
Relevance
Network Compute Storage App Data SaaS PaaS
X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X
X X X X X X X X
X X X
X X X
X X X X X X X X
X X X X X
X X X X X X X X
X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X
X X X X X X X X
X X X X X X X
X X X X
X X X X X X X
X X X X X
X X X X X X X
X X X X X X X
X X
X X
X X X X
X X X X X
X X X X X X X X
X X X X X X X
X X X X X
X X
X X X X X X X
X X X X X X X X
X X X X
X X X X X X X X
X X X X X X X
X X X
X X X X X X X X
X X X
X X X
X X X
X X X X X X X X
X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X
X X X X X X X X
X X X
X X X X X X X X
X X X X
X X X X X X X X
X X X X X
X X X X X X X X
X X X X X X X X
X X X X
X X X X X X X
X X X X X X X X
X X X
X X X X X X X X
X X X X X X
X X X X X X X X
X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X X X X X
X X X X X
X X X X X X
X X X
X X X X X X X
X X X X
X X X X X X X
X X X X X X X
X X X
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X X
X X X X
X X X X X X X
X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X
X X X X X X X X
X X X X
X X X X X X X X
X X X X X X
X X X X X
X X X X X X
X X X X X
X X X X X X
X X X X X X
X X X X
X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X
X X X X X X
g
rvice Delivery Model Scope

Supplier Relationship
Applicability Applicability
Service Tenant / AICPA

IaaS
Provider Consumer 2009 TSC Map
X X S3.10.0
S3.10.0
X X X S3.2.a
X X X I3.2.0
I3.3.0
I3.4.0
I3.5.0
X X S3.4
X X S4.1.0
S4.2.0
X X X S4.1.0
S4.2.0
X X X S3.1.0
x3.1.0
X X X A3.1.0
A3.3.0
A3.4.0
X X X A3.3
X X A3.2.0
A3.4.0
X X S3.11.0
A.2.1.0
X X A3.1.0
A3.2.0
X X A3.1.0
A3.2.0
X X A3.2.0
A4.1.0
X X A3.2.0
X X X A3.1.0
A3.3.0
A3.4.0
X X S2.3.0
X X X A3.3.0
A3.4.0
I3.20.0
I3.21.0
X X S3.12.0
S3.10.0
S3.13.0
X X X S3.10.0
S3.13
X X A3.13.0
C3.16.0
I3.14.0
S3.10.0
S3.13
X X A3.6.0
S3.5.0
S3.13.0
X X X A3.16.0
S3.13.0
X X X S3.8.0
C3.14.0
X X X S3.6
I13.3.a-e
I3.4.0
X X X S3.2.a
X X C3.5.0
S3.4.0
C3.21.0
X X S2.2.0
S2.3.0
S3.8.0
X X C3.5.0
S3.4.0
X X S3.1.0
C3.14.0
S1.2.b-c
X X A3.6.0
S3.2.a
X X S3.2.f
C3.9.0
X X X S3.4
X X A3.6.0
X X A3.6.0
X X A3.6.0
X X A3.6.0
X X S3.6.0
S3.4
X X C3.12.0
S3.6.0
S3.4
X X X
X X S1.1.0
S1.2.0(a-i)
X X X S3.1.0
C3.14.0
S1.2.b-c
X X X S1.2.f
S2.3.0
X X X x1.2.
X X S1.3.0
X X X S1.1.0
S1.3.0
S2.3.0
X X X S3.9
S2.4.0
X X X
X X X S1.1.0
X X X S3.1
x3.1.0
S4.3.0
X X X S3.1
x3.1.0
X X X S3.4
X X X S3.11.0
X X X S2.2.0
X X X S3.2.d
S3.8.e
X X X S3.4
X X X S4.1.0
X X X S1.2.f
X X X S1.2
S3.9
X X X S1.2.k
S2.2.0
X X X S2.3.0
X X X S3.3.0
S3.4.0
X X S3.2.g
X X S3.2.0
X X X S3.2.g
X X S3.2.a
X X S3.13.0
X X X S3.1
x3.1.0
X X S3.2.0
S4.3.0
X X X S3.2.0
X X X S3.2.0
X X S3.2.0
X X X S3.2.b
X X X S3.2.g
X X S3.7
X X S3.7
X X X A3.2.0
A4.1.0
X X
X X X S3.4
X X X
X X S3.4
X X X S3.4
X X
X X
X X X S3.4
X X
X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X S4.3.0
x4.4.0
X X X IS3.7.0
S3.9.0
X X X A2.3.0
C2.3.0
I2.3.0
S2.3.0
S2.4
C3.6.0
X X X S2.4.0
C3.15.0
X X X S3.9.0
C4.1.0
X X X C2.2.0
X X
X X X S2.2.0
A3.6.0
C3.6.0
X X
X X
X X
X X S2.2.0
C2.2.0
C3.6
X X X S3.5.0
X X S3.10.0
X X X S3.4.0
S3.10.0
AICPA
Trust Service Criteria (SOC 2SM Report)
(S3.10.0) Design, acquisition, implementation, configuration,

modification, and management of infrastructure and software
are consistent with defined system security policies to enable
authorized access and to prevent unauthorized access.

are consistent with defined processing integrity and related
security policies.
(S3.2.a) a. Logical access security measures to restrict access

to information resources not deemed to be public.
(I3.2.0) The procedures related to completeness, accuracy,
timeliness, and authorization of inputs are consistent with the
documented system processing integrity policies.

timeliness, and authorization of system processing, including
error correction and database management, are consistent with

timeliness, and authorization of outputs are consistent with the
(I3.5.0) There are procedures to enable tracing of information

inputs from their source to their final disposition and vice versa.
(S3.4) Procedures exist to protect against unauthorized access

to system resources.
(S4.1.0) The entity’s system security is periodically reviewed

and compared with the defined system security policies.
(S4.2.0) There is a process to identify and address potential

impairments to the entity’s ongoing ability to achieve its
objectives in accordance with its defined system security
policies.
(S4.1.0) The entity’s system security is periodically reviewed

and compared with the defined system security policies.
(S4.2.0) There is a process to identify and address potential

impairments to the entity’s ongoing ability to achieve its
objectives in accordance with its defined system security
policies.
(S3.1.0) Procedures exist to (1) identify potential threats of
disruption to systems operation that would impair system
security commitments and (2) assess the risks associated with
the identified threats.
(x3.1.0) Procedures exist to (1) identify potential threats of

disruptions to systems operations that would impair system
[availability, processing integrity, confidentiality] commitments
and (2) assess the risks associated with the identified threats.
(A3.1.0) Procedures exist to (1) identify potential threats of

disruptions to systems operation that would impair system
availability commitments and (2) assess the risks associated
with the identified threats.
(A3.3.0) Procedures exist to provide for backup, offsite storage,

restoration, and disaster recovery consistent with the entity’s
defined system availability and related security policies.
(A3.4.0) Procedures exist to provide for the integrity of backup

data and systems maintained to support the entity’s defined
system availability and related security policies.
(A3.3) Procedures exist to provide for backup, offsite storage,
(A3.2.0) Measures to prevent or mitigate threats have been

implemented consistent with the risk assessment when
commercially practicable.
(A3.4.0) Procedures exist to protect against unauthorized

access to system resource.
(S3.11.0) Procedures exist to provide that personnel

responsible for the design, development, implementation, and
operation of systems affecting security have the qualifications
and resources to fulfill their responsibilities.
(A.2.1.0) The entity has prepared an objective description of the

system and its boundaries and communicated such description
to authorized users.





(A4.1.0) The entity’s system availability and security

performance is periodically reviewed and compared with the



(S2.3.0) Responsibility and accountability for the entity’s
system availability, confidentiality of data, processing integrity,
system security and related security policies and changes and
updates to those policies are communicated to entity personnel
responsible for implementing them.


(I3.20.0) Procedures exist to provide for restoration and

disaster recovery consistent with the entity’s defined processing
integrity policies.
(I3.21.0) Procedures exist to provide for the completeness,

accuracy, and timeliness of backup data and systems.
(S3.12.0) Procedures exist to maintain system components,
including configurations consistent with the defined system
security policies.

are consistent with defined system security policies.
(S3.13.0) Procedures exist to provide that only authorized,

tested, and documented changes are made to the system.

are consistent with defined system availability, confidentiality of
data, processing integrity, systems security and related security
policies.
(S3.13) Procedures exist to provide that only authorized,

(A3.13.0, C3.16.0, I3.14.0, S3.10.0) Design, acquisition,
implementation, configuration, modification, and management
of infrastructure and software are consistent with defined
system availability, confidentiality of data, processing integrity,
systems security and related security policies.
(S3.13) Procedures exist to provide that only authorized,

(A3.6.0) Procedures exist to restrict physical access to the

defined system including, but not limited to, facilities, backup
media, and other system components such as firewalls,
routers, and servers.
(S3.5.0) Procedures exist to protect against infection by

computer viruses, malicious code, and unauthorized software.

(A3.16.0, S3.13.0) Procedures exist to provide that only
authorized, tested, and documented changes are made to the
system.
(S3.8.0) Procedures exist to classify data in accordance with

classification policies and periodically monitor and update such
classifications as necessary.
(C3.14.0) Procedures exist to provide that system data are

classified in accordance with the defined confidentiality and
related security policies.
(S3.6) Encryption or other equivalent security techniques are
used to protect transmissions of user authentication and other
confidential information passed over the Internet or other public
networks.
(I13.3.a-e) The procedues related to completeness, accuracy,

timeliness, and authorization of system processing, including
error correction and database management, are consistent with

timeliness, and authorization of outputs are consistent with the
documented system processing integrity policiies.

(C3.5.0) The system procedures provide that confidential

information is disclosed to parties only in accordance with the
entity’s defined confidentiality and related security policies.
(S3.4.0) Procedures exist to protect against unauthorized

access to system resources.
(C3.21.0) Procedures exist to provide that confidential

information is protected during the system development,
testing, and change processes in accordance with defined
system confidentiality and related security policies.
(S2.2.0) The security obligations of users and the entity’s

security commitments to users are communicated to authorized
users.

system security policies and changes and updates to those
policies are communicated to entity personnel responsible for
implementing them.
(S3.8.0) Procedures exist to classify data in accordance with

classification policies and periodically monitor and update such
classifications as necessary
(C3.5.0) The system procedures provide that confidential
information is disclosed to parties only in accordance with the
entity’s defined confidentiality and related security policies.



(S1.2.b-c) b. Classifying data based on its criticality and

sensitivity and that classification is used to define protection
requirements, access rights and access restrictions, and
retention and destruction policies.
c. Assessing risks on a periodic basis.


(S3.2.f) f. Restriction of access to offline storage, backup data,

systems, and media.
(C3.9.0) Procedures exist to restrict physical access to the

defined system including, but not limited to: facilities, backup




(S3.6.0) Encryption or other equivalent security techniques are

used to protect transmissions of user authentication and other
confidential information passed over the Internet or other public
networks.

(C3.12.0, S3.6.0) Encryption or other equivalent security
techniques are used to protect transmissions of user
authentication and other confidential information passed over
the Internet or other public networks.

(S1.1.0) The entity’s security policies are established and

periodically reviewed and approved by a designated individual
or group.
(S1.2.0(a-i)) The entity's security policies include, but may not

be limited to, the following matters:


(S1.2.b-c) b. Classifying data based on its criticality and

sensitivity and that classification is used to define protection
requirements, access rights and access restrictions, and
retention and destruction policies.
c. Assessing risks on a periodic basis.
(S1.2.f) f. Assigning responsibility and accountability for system
availability, confidentiality, processing integrity and related
security.

system security policies and changes and updates to those
policies are communicated to entity personnel responsible for
implementing them.
(x1.2.) The entity’s system [availability, processing integrity,

confidentiality and related] security policies include, but may not
be limited to, the following matters:
(S1.3.0) Responsibility and accountability for developing and

maintaining the entity’s system security policies, and changes
and updates to those policies, are assigned.
The entity has prepared an objective description of the system

and its boundaries and communicated such description to
authorized users
The security obligations of users and the entity’s security

commitments to users are communicated to authorized users.
(S1.1.0) The entity's security policies are established and

or group.
(S1.3.0) Responsibility and accountability for developing and

maintaining the entity’s system security policies, and changes
and updates to those policies, are assigned.
(S2.3.0) Responsibility and accountability for the entity's system

security policies and changes and updates to those policies are
communicated to entity personnel responsible for implementing
them.
(S3.9) Procedures exist to provide that issues of
noncompliance with security policies are promptly addressed
and that corrective measures are taken on a timely basis.

users.
(S1.1.0) The entity’s security policies are established and

or group.
(S3.1) Procedures exist to (1) identify potential threats of

[availability, processing integrity, confidenitality] commitments
(S4.3.0) Environmental, regulatory, and technological changes

are monitored, and their effect on system availability,
confidentiality of data, processing integrity, and system
security is assessed on a timely basis; policies are updated for
that assessment.



(S3.11.0) Procedures exist to help ensure that personnel

responsible for the design, development, implementation, and
operation of systems affecting confidentiality and security have
the qualifications and resources to fulfill their responsibilities.
(S2.2.0) The security obligations of users and the entity's

users
(S3.2.d) Procedures exist to restrict logical access to the
system and information resources maintained in the system
including, but not limited to, the following matters:
d. The process to make changes and updates to user profiles
(S3.8.e) e. Procedures to prevent customers, groups of

individuals, or other entities from accessing confidential
information other than their own

(S4.1.0) The entity’s system availability, confidentiality,

processing integrity and security performance is periodically
reviewed and compared with the defined system availability
and related security policies.
(S1.2.f) f. Assigning responsibility and accountability for system
availability, confidentiality, processing integrity and related
security.
(S1.2) The entity’s security policies include, but may not be

limited to, the following matters:
(S3.9) Procedures exist to provide that issues of

(S1.2.k) The entity's security policies include, but may not be
limited to, the following matters:
k. Providing for training and other resources to support its
system security policies

users.

system availability, confidentiality, processing integrity and
security policies and changes and updates to those policies are
communicated to entity personnel responsible for implementing
them.
(S3.3.0) Procedures exist to restrict physical access to the


(S3.2.g) g. Restriction of access to system configurations,

superuser functionality, master passwords, powerful utilities,
and security devices (for example, firewalls).
(S3.2.0) Procedures exist to restrict logical access to the
defined system including, but not limited to, the following
matters:
c. Registration and authorization of new users.
d. The process to make changes to user profiles.
g. Restriction of access to system configurations, superuser
functionality, master passwords, powerful utilities, and security
devices (for example, firewalls).




matters:

are monitored, and their effect on system availability,
confidentiality, processing integrity and security is assessed on
a timely basis; policies are updated for that assessment.

matters:

matters:
matters:
(S3.2.b) b. Identification and authentication of users.

(S3.7) Procedures exist to identify, report, and act upon system
security breaches and other incidents.
(S3.7) Procedures exist to identify, report, and act upon system

security breaches and other incidents.

(A4.1.0) The entity’s system availability and security

performance is periodically reviewed and compared with the


are monitored and their effect on system security is assessed
on a timely basis and policies are updated for that assessment.
(x4.4.0) Environmental, regulatory, and technological changes

are monitored, and their impact on system [availability,
processing integrity, confidentiality] and security is assessed on
a timely basis. System [availability, processing integrity,
confidentiality] policies and procedures are updated for such
changes as required.
(IS3.7.0) Procedures exist to identify, report, and act upon

system security breaches and other incidents.
(S3.9.0) Procedures exist to provide that issues of

noncompliance with system availability, confidentiality of data,
processing integrity and related security policies are promptly
addressed and that corrective measures are taken on a timely
basis.
(A2.3.0, C2.3.0, I2.3.0, S2.3.0) Responsibility and

accountability for the entity’s system availability, confidentiality
of data, processing integrity and related security policies and
changes and updates to those policies are communicated to
entity personnel responsible for implementing them.
(S2.4) The process for informing the entity about breaches of

the system security and for submitting complaints is
communicated to authorized users.
(C3.6.0) The entity has procedures to obtain assurance or

representation that the confidentiality policies of third parties to
whom information is transferred and upon which the entity
relies are in conformity with the entity’s defined system
confidentiality and related security policies and that the third
party is in compliance with its policies.
(S2.4.0) The process for informing the entity about system
availability issues, confidentiality issues, processing integrity
issues, security issues and breaches of the system security and
for submitting complaints is communicated to authorized users.
(C3.15.0) Procedures exist to provide that issues of

noncompliance with defined confidentiality and related security
policies are promptly addressed and that corrective measures
are taken on a timely basis.
(S3.9.0) Procedures exist to provide that issues of

(C4.1.0) The entity’s system security, availability, system

integrity, and confidentiality is periodically reviewed and
compared with the defined system security, availability, system
integrity, and confidentiality policies.
(C2.2.0) The system security, availability, system integrity, and

confidentiality and related security obligations of users and the
entity’s system security, availability, system integrity, and
confidentiality and related security commitments to users are
communicated to authorized users.
(S2.2.0) The availability, confidentiality of data, processing
integrity, system security and related security obligations of
users and the entity’s availability and related security
commitments to users are communicated to authorized users.

(C3.6.0) The entity has procedures to obtain assurance or

Note: third party service providers are addressed under either
the carve-out method or the inclusive method as it relates to the
assessment of controls.

users.
(C2.2.0) The system confidentiality and related security

obligations of users and the entity’s confidentiality and related
users before the confidential information is provided. This
communication includes, but is not limited to, the following
matters: (see sub-criteria on TSPC tab)
(C3.6) The entity has procedures to obtain assurance or


computer viruses, malicious codes, and unauthorized software.

computer viruses, malicious code, and unauthorized software.

AICPA BITS Shared Assessments
2014 TSC AUP v5.0
CC7.1 I.4
CC5.1
PI1.2 I.4
PI1.3
PI1.5
CC5.6 B.1
CC4.1
CC4.1
CC3.1
CC3.1
A1.2
A1.3
A1.2
A1.1 F.1
A1.2
A1.3
CC1.3
CC1.4
CC2.1
CC3.1 F.1
A1.1
A1.2
CC3.1 F.1
A1.1
A1.2
A1.1
A1.2
CC4.1
A1.1 F.1
A1.2
CC3.1
A1.2
A1.3
CC3.2
A1.2
A1.3
I3.21
CC7.2 I.2
CC7.1
CC7.4
CC7.1 C.2
I.1
CC7.4 I.2
I.4
CC7.1
CC7.1
CC7.1
CC7.1
CC7.4
CC5.5 G.1
I.2
CC5.8
CC7.4
CC7.4
CC7.4
CC3.1
CC3.1
CC5.7 G.4
G.11
G.16
G.18
PI1.5 I.3
I.4
CC5.1 G.13
C1.3
CC5.6
C1.1
CC2.3
CC3.1
C1.3
CC5.6
CC3.1
CC3.1
CC5.5 F.2
CC5.1 D.1
CC5.1
CC5.5
CC5.6 D.1
CC5.5 H.6
CC5.5 F.2
CC5.5 G.21
CC5.5 F.2
CC5.7
CC5.6
CC5.7 G.4
G.15
CC5.6 I.3
CC3.2 L.2
CC3.1
CC3.1
CC3.2 E.1
CC1.2
CC3.2
CC1.2
CC2.3
CC6.2
CC2.5
B.2
G.21
L.2
CC3.2 B.2
CC3.1 I.1
I.4
CC3.3
CC3.1 L.2
CC5.6 D.1
CC1.3 E.2
CC1.4
CC2.2 C.1
CC2.3
CC5.4
CC5.6
CC4.1
B.1
CC3.2 B.3
CC6.2
CC2.2 E.1
CC2.3
CC3.2 E.1
CC5.5 E.1
CC5.6
CC5.1
B.1
CC5.1
CC5.1
CC7.4
CC3.1 B.1
H.2
CC3.3
H.2
CC5.3 B.1
H.5
CC5.1
CC6.2 G.7
G.8
G.9
J.1
L.2
CC6.2 G.7
G.8
A1.1
A1.2
CC4.1
CC5.6 G.2
G.4
G.15
G.16
G.17
G.18
I.3
CC5.6 B.1
CC5.6 G.17
CC5.6 D.1
B.3
F.1
G.4
G.15
G.17
G.18
CC3.3
CC5.5 J.1
CC6.2
CC2.3 J.1
E.1
CC2.5
C1.4
C1.5
CC2.5 J.1
E.1
CC6.2
CC6.2
CC4.1
CC2.2 C.2
CC2.3
CC2.2 C.2
CC2.3
CC5.5
C1.4
C1.5
CC2.2 C.2
CC2.3
C1.4
C1.5
CC5.8
CC7.1 I.4
CC5.6
CC7.1
BITS Shared Assessments
BSI Germany
SIG v6.0
G.16.3, I.3
C.2.1, C.2.3, C.2.4, C.2.6.1, 10 (B)

H.1 11 (A+)
G.16.3, I.3
G.8.2.0.2, G.8.2.0.3, G.12.1, 6 (B)

G.12.4, G.12.9, G.12.10, 26 (A+)
G.16.2, G.19.2.1, G.19.3.2,
G.9.4, G.17.2, G.17.3, G.17.4,
G.20.1
L.1, L.2, L.7, L.9, L.11 58 (B)
L.2, L.4, L.7, L.9, L.11 58 (B)

59 (B)
61 (C+, A+)
76 (B)
77 (B)
L.1, L.2, L.4, L.7, L.9 76 (B)
77 (B)
78 (B)
83 (B)
84 (B)
85 (B)
K.1.2.3. K.1.2.4, K.1.2.5,

K.1.2.6, K.1.2.7, K.1.2.11,
K.1.2.13, K.1.2.15
K.1.3, K.1.4.3, K.1.4.6, K.1.4.7, 52 (B)
K.1.4.8, K.1.4.9, K.1.4.10, 55 (A+)
K.1.4.11, K.1.4.12
F.1.6, F.1.6.1, F.1.6.2, F.1.9.2, 9 (B)

F.2.10, F.2.11, F.2.12 10 (B)
G.1.1 56 (B)
57 (B)
F.2.9, F.1.2.21, F.5.1, F.1.5.2,

F.2.1, F.2.7, F.2.8
F.2.9, F.1.2.21, F.5.1, F.1.5.2, 53 (A+)

F.2.1, F.2.7, F.2.8 75 (C+, A+)
F.2.19 1 (B)
F.1.6, F.1.6.1, F.1.6.2, F.1.9.2, 54 (A+)
F.2.10, F.2.11, F.2.12
K.2
G.1.1 45 (B)
D.2.2.9 36 (B)
I.1.1, I.1.2, I.2. 7.2, I.2.8, I.2.9,
I.2.10, I.2.13, I.2.14, I.2.15,
I.2.18, I.2.22.6, L.5
C.2.4, G.4, G6, I.1, I.4.4, I.4.5, 27 (B)

I.2.7.2, I.2.8, I.2.9, I.2.15,
I.2.18, I.2.22.6, I.2.7.1, I.2.13,
I.2.14, I.2.17, I.2.20, I.2.22.2,
I.2.22.4, I.2.22.7, I.2.22.8,
I.2.22.9, I.2.22.10, I.2.22.11,
I.2.22.12, I.2.22.13, I.2.22.14,
I.3, J.1.2.10, L.7, L.9, L.10
C.1.7, G.1, G.6, I.1, I.4.5,
I.2.18, I.22.1, I.22.3, I.22.6,
I.2.23, I.2.22.2, I.2.22.4,
I.2.22.7. I.2.22.8, I.2.22.9,
I.2.22.10, I.2.22.11, I.2.22.12,
I.2.22.13, I.2.22.14,I.2.20,
I.2.17, I.2.7.1, I.3, J.2.10, L.9
G.2.13, G.20.2,G.20.4, G.20.5,

G.7, G.7.1, G.12.11, H.2.16,
I.2.22.1, I.2.22.3, I.2.22.6,
I.2.23
I.2.17, I.2.20, I.2.22
D.1.3, D.2.2
G.19.1.1, G.19.1.2, G.19.1.3,
G.10.8, G.9.11, G.14, G.15.1
D.2.2
I.2.18
C.2.5.1, C.2.5.2, D.1.3, L.7

D.2.2.10, D.2.2.11, D.2.2.14, 37 (B)
F.1.2.3, F.1.2.4, F.1.2.5, 7 (B)

F.1.2.6, F.1.2.8, F.1.2. 9,
F.1.2.10, F.1.2.11, F.1.2.12,
F.1.2.13, F.1.2.14, F.1.2.15,
F.1.2.24, F.1.3, F.1.4.2, F1.4.6,
F.1.4.7, F.1.6, F.1.7,F.1.8,
F.2.13, F.2.14, F.2.15, F.2.16,
F.2.17, F.2.18
D.1.1, D.1.3
F.2.18, F.2.19,
D.1.1, D.2.1. D.2.2,

F.1.2.3, F.1.2.4, F.1.2.5, 7 (B)
F.1.2.6, F.1.2.8, F.1.2. 9,
F.1.2.10, F.1.2.11, F.1.2.12,
F.1.2.13, F.1.2.14, F.1.2.15,
F.1.2.24, F.1.4.2, F1.4.6,
F.1.4.7, F.1.7, F.1.8, F.2.13,
F.2.14, F.2.15, F.2.16, F.2.17,
F.2.18
F.1.2.3, F.1.2.4, F.1.2.5, 7 (B)

F.1.2.6, F.1.2.8, F.1.2. 9,
F.1.2.10, F.1.2.11, F.1.2.12,
F.1.2.13, F.1.2.14, F.1.2.15,
F.1.2.24, F.1.3, F.1.4.2, F1.4.6,
F.1.4.7, F.1.6, F.1.7,F.1.8,
F.2.13, F.2.14, F.2.15, F.2.16,
F.2.17, F.2.18
F.2.18
F.1.2.3, F.1.2.4, F.1.2.5, 7 (B)

F.1.2.6, F.1.2.8, F.1.2. 9, 10 (B)
F.1.2.10, F.1.2.11, F.1.2.12,
F.1.2.13, F.1.2.14, F.1.2.15,
F.1.2.24, F.1.3, F.1.4.2, F1.4.6,
F.1.4.7, F.1.6, F.1.7,F.1.8,
F.2.13, F.2.14, F.2.15, F.2.16,
F.2.17, F.2.18
L.6 38 (B)
39 (C+)
G.10.4, G.11.1, G.11.2, G.12.1, 23 (B)
G.12.2, G.12.4, G.12.10, 24 (B)
G.14.18, G.14.19, G.16.2, 25 (B)
G.16.18, G.16.19, G.17.16,
G.17.17, G.18.13, G.18.14,
G.19.1.1, G.20.14
L.2, L.5, L.7 L.8, L.9, L.10 12 (B)

14 (B)
13 (B)
15 (B)
16 (C+, A+)
21 (B)
L.4, L.5, L.6, L.7 34 (B)

E.4 5 (B)
65 (B)
A.1, B.1 2 (B)

3 (B)
5 (B)
C.1 5 (B)
B.1
B.1.5
B.1.1, B.1.2, B.1.6, B.1.7.2,

G.2, L.9, L.10
B.1.33. B.1.34,
C.2.1, I.4.1, I.5, G.15.1.3, I.3 46 (B)
74 (B)
A.1, L.1
E.6.4
E.2 63 (B)
E.3.5 66 (B)
E.6
G.11, G12, G.20.13, G.20.14
C.2.5
B.1.5, D.1.1,D.1.3.3, E.1, F.1.1, 5 (B)

H.1.1, K.1.2
B.1.7, D.1.3.3, E.3.2, E.3.5.1,

E.3.5.2
E.4 65 (B)
E.4 65 (B)
66 (B)
E.4
B.1.8, B.1.21, B.1.28, E.6.2, 8 (B)
H.1.1, K.1.4.5, 40 (B)
41 (B)
42 (B)
43 (B)
44 (C+)
H1.1, H1.2, G.9.15

G.2.13. G.3, G.20.1, G.20.2,
G.20.5
I.2.7.2, I.2.9, I.2.10, I.2.15
B.1.1, B.1.2, D.1.1, E.1, F.1.1,

H.1.1, K.1.1, E.6.2, E.6.3
H.2.4, H.2.5, 35 (B)
40 (B)
41 (B)
42 (B)
44 (C+)
H.2.6, H.2.7, H.2.9, 41 (B)

E.6.2, E.6.3
E.6.2, E.6.3, H.1.1, H.1.2, H.2, 6 (B)

H.3.2, H.4, H.4.1, H.4.5, H.4.8
H.2.16
G.14.7, G.14.8, G.14.9,
G.14.10,G.14.11, G.14.12,
G.15.5, G.15.7, G.15.8, G.16.8,
G.16.9, G.16.10, G.15.9,
G.17.5, G.17.7, G.17.8, G.17.6,
G.17.9, G.18.2, G.18.3, G.18.5,
G.18.6, G.19.2.6, G.19.3.1,
G.9.6.2, G.9.6.3, G.9.6.4,
G.9.19, H.2.16, H.3.3, J.1, J.2,
L.5, L.9, L.10
G.13, G.14.8, G.15.5, G.16.8, 20 (B)

G.17.6, G.18.3, G.19.2.6, 28 (B)
G.19.3.1 30 (B)
35 (B)
G.5
G.9.17, G.9.7, G.10, G.9.11,
G.14.1, G.15.1, G.9.2, G.9.3,
G.9.13
I.2.7.1, I.2.20, I.2.17, I.2.22.2, 22 (B)

I.2.22.4, I.2.22.10-14, H.1.1
G.9.2, G.9.3, G.9.13

E.3.1, F.1.2.4, F.1.2.5, F.1.2.6, 40 (B)
F.1.2.8, F.1.2. 9, F.1.2.10, 44 (C+)
F.1.2.11, F.1.2.12, F.1.2.13,
F.1.2.14, F.1.2.15, F.1.2.24,
F.1.3, F.1.4.2, F1.4.6, F.1.4.7,
F.1.6, F.1.7,F.1.8, F.2.13,
F.2.14, F.2.15, F.2.16, F.2.17,
F.2.18 G.9.17, G.9.7, G.10,
G.9.11, G.14.1, G.15.1, G.9.2,
G.9.3, G.9.13
L1
J.1.1, J.1.2 46 (B)
J.1.1, E.4 5 (B)

46 (B)
48 (A+)
49 (B)
50 (B)
J.1.1, J.1.2, E.4
J.1.2 47 (B)
C.2.6, G.9.9 45 (B)

74 (B)
C.2.4, C.2.6, G.4.1, G.16.3 74 (B)
75 (C+, A+)
45 (B)
75 (C+, A+)
79 (B)
4 (C+, A+)
51 (B)
C.2.4,C.2.6, G.4.1, G.4.2, L.2, 60 (B)
L.4, L.7, L.11 62 (C+, A+)
83 (B)
84 (B)
85 (B)
G.7 17 (B)
G.15.2, I.3 32 (B)

33 (B)
G.20.12, I.2.5
Canada PIPEDA CCM V1.X
Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-04
Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.3 SA-01

CO-01
CO-02
Schedule 1 (Section 5) 4.5 - Limiting Use, Disclosure and CO-05
Retention, Subsec. 4.1.3
RS-03
RS-04
Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RS-08
Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 OP-02
OP-04
RS-02
OP-01
Schedule 1 (Section 5) 4.5 - Limiting Use, Disclosure and DG-04

Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RM-01


DG-02
--
Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-28
DG-03
DG-06

Retention, Subsec. 4.7.5 and 4.5.3
Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3 FS-08


Schedule 1 (Section 5) 4.7 Safeguards, Subs. 4.7.3 IS-18
--
Schedule 1 (Section 5), 4.7 - Safeguards IS-04
Schedule 1 (Section 5), 4.7 - Safeguards DG-08

Schedule 1 (Section 5) 4.1 Accountability; 4.7 Safeguards, Sub 4.7 IS-14
Schedule 1 (Section 5), 4.1 - Accountability; 4.7 Safeguards IS-01
Schedule 1 (Section 5), 4.1 Safeguards, Subsec. 4.1.1 IS-02
Schedule 1 (Section 5) 4.1 Accountability, Subsec 4.1.4 IS-03

Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.4 IS-06
Schedule 1 (Section 5), 4.7 - Safeguards RI-04
IS-05
Schedule 1 (Section 5) 4.5 Limiting Use, Disclosure and IS-27

Retention; 4.7 Safeguards, Subs. 4.7.5
Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3 HR-01
Schedule 1 (Section 5) 4.7 Safeguards, Subsec. 4.7.4 HR-02

HR-03
Schedule 1 (Section 5), 4.7 - Safeguards LG-01
Schedule 1 (Section 5) 4.1 Accountability IS-13

Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.4; 4.7 IS-11
Safeguards, Subs. 4.7.4

Safeguards, Subs. 4.7.4
--
Schedule 1 (Section 5) 4.7 Safeguards, Subs. 4.7.3(b) IS-15

IS-08
IS-12
Schedule 1 (Section 5) Safeguards, Subs. 4.7.2 and 4.7.3 IS-08


OP-03
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
CO-04

Openness, Subs. 4.8.2

IS-24
IS-25
--
--

--
LG-02
Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.3

--
--
--
CO-03
IS-21
Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3

IS-20
Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3

SA-15
CSA Enterprise Architecture
COBIT 4.1 COBIT 5.0 COPPA
(formerly Trusted Cloud Initiative)
Domain > Container > Capability

AI2.4 APO09.03 312.8 and Application Services >
APO13.01 312.10 Development Process > Software
BAI03.01 Quality Assurance
BAI03.02
BAI03.03
BAI03.05
MEA03.01
MEA03.02
APO09.01 312.3, BOSS > Legal Services >

APO09.02 312.8 and Contracts
APO09.03 312.10
APO13.01
BAI02
DSS05
DSS06.02 312.8 and Application Services >
DSS06.04 312.10 Programming Interfaces > Input
Validation
DS5.11 APO09.01 312.8 and BOSS > Data Governance > Rules
APO09.02 312.10 for Information Leakage
APO09.03 Prevention
APO13.01
DSS05.02
DSS06.06
MEA03.01
MEA03.02
ME 2.1 APO12.04 Title 16 BOSS > Compliance > Audit

ME 2.2 APO12.05 Part 312 Planning
PO 9.5 APO12.06
PO 9.6 MEA02.01
MEA02.02
DS5.5 APO12.04 Title 16 BOSS > Compliance >

ME2.5 APO12.05 Part 312 Independent Audits
ME 3.1 DSS05.07
PO 9.6 MEA02.06
MEA02.07
MEA02.08
MEA03.01
ME 3.1 APO12.01 312.4 BOSS > Compliance > Information
APO12.02 System Regulatory Mapping
APO12.03
MEA03.01
DSS04.01 BOSS > Operational Risk Manageme

DSS04.02
DSS04.03
DSS04.05
DSS04.04 BOSS > Operational Risk Manageme
DSS01.03 312.8 and Infra Services > Facility Security

DSS01.04
DSS01.05
DSS04.03
DS 9 BAI08 312.8 and SRM > Policies and Standards >

DS 13.1 BAI10 Job Aid Guidelines
DSS01.01
DSS01.03 Infra Services > Facility Security

DSS01.04
DSS01.05

DSS01.05 312.10
A13.3 BAI03.10 Infra Services > Equipment

BAI04.03 Maintenance >
BAI04.04
DSS03.05
DSS01.05
DSS04.01
DSS04.02
DSS04.03
BAI06.01 ITOS > Service Delivery > Informat

BAI10.01
BAI10.02
BAI10.03
DSS04.01
DSS04.02
DS13.1 APO01 SRM > Policies and Standards >
APO07.01 Operational Security Baselines
APO07.03
APO09.03
DSS01.01
DS 4.1 BAI09.01 312.3 BOSS > Data Governance > Data

DS 4.2 BAI09.02 Retention Rules
DS 4.5 BAI09.03
DS 4.9 DSS04.01
DS 11.6 DSS04.02
DSS04.03
DSS04.04
DSS04.07
MEA03.01
A12 APO01.02 ITOS > IT Operation > Architecture
A16.1 APO01.06 Governance
BAI02.04
BAI06.01
APO07.06 ITOS > IT Operation > Architecture

APO09.03
APO09.04
APO10.01
APO10.04
APO10.05
APO11.01
APO11.02
APO11.04
APO11.05
PO 8.1 APO11.01 ITOS > Service Support > Release
APO11.02 Management
APO11.04
APO11.05
BAI02.04
BAI03.06
BAI03.08
BAI07.03
BAI07.05
APO13.01 312.8 and ITOS > Service Support > Configu

BAI06.01
BAI10
DSS05.03
DSS05.04
DSS05.05
DSS05.07
DSS06.03
A16.1 BAI06.01 ITOS > Service Support > Release
A17.6 BAI06.02 Management
BAI06.03
BAI06.04
BAI07.01
BAI07.03
BAI07.04
BAI07.05
BAI07.06
PO 2.3 APO01.06 312.3 BOSS > Data Governance > Data

DS 11.6 APO03.02 Classification
APO08.01
APO09.03
APO13.01
BAI09.01
BAI09.02
BAI09.03
APO01.06
DSS04.07 BOSS > Data Governance >
APO03.01
DSS05.04 Handling / Labeling / Security
APO03.02
DSS05.05 Policy
APO09.01
DSS06.06
APO09.01
BAI06.03
BAI09.01
BAI10.01
BAI10.02
BAI10.03
BAI10.04
BAI10.05
DS 5.10 5.11 APO01.06 312.8 and SRM > Cryptographic Services >
APO03.02 312.10 Data in Transit Encryption
APO08.01
APO13.01
APO13.02
DSS05
DSS06
PO 2.3 APO01.06 312.2 BOSS > Data Governance >

DS 11.6 APO03.02 Handling / Labeling / Security
APO08.01 Policy
APO09.03
APO13.01
BAI09.01
BAI09.02
BAI09.03
DSS04.07
DSS05.04
DSS05.05
APO01.06 SRM > Policies and Standards > Te
DSS06.06
BAI01.01
BAI03.07
BAI07.04
DS5.1 APO01.06 312.4 BOSS > Data Governance > Data

PO 2.3 APO03.02 Ownership / Stewadship
APO13.01
APO13.03
DS 11.4 APO01.06 312.3 BOSS > Data Governance >
APO13.01 Secure Disposal of Data
BAI09.03
DSS01.01
APO01.06 ITOS > Service Support > Configura

APO03.02
APO08.01
APO09.03
BAI09.01
BAI09.02
BAI09.03
DSS04.07
DSS05.04
DSS05.05
DSS06.06
DS 12.2 APO13.01 312.8 and Infra Services > Facility Security >
DS 12.3 DSS01.01 Controlled Physical Access
DSS01.05
DSS05.05
DSS06.03
DSS06.06
DS5.7 APO13.01 312.3, > >

DSS05.02 312.8 and
DSS05.03 312.10
EDM05.02 312.8 and SRM > Facility Security > Asset Han
APO01.02 312.10
APO03.02
BAI02.03
BAI02.04
BAI03.09
BAI06.01
APO09.03 312.8 and BOSS > Data Governance > Secure

APO10.04 312.10
APO10.05
APO13.01
DSS01.02
APO13.01 SRM > Policies and Standards > Infor
DSS01.04
DSS01.05
DSS04.01
DSS04.03
DS 12.3 APO13.01 312.8 and SRM > Policies and Standards >
APO13.02 Information Security Policy (Facility
DSS05.05 Security Policy)
APO13.01 312.8 and SRM > Policies and Standards > Infor
APO13.02 312.10
DSS05.05
DSS06.03
DS 12.3 APO13.01 312.8 and Infra Services > Facility Security >
APO13.02
DSS05.04
DSS05.05
DSS06.03
APO01.06
APO13.01
DSS05.04
DSS05.06
DSS06.03 SRM > Cryptographic Services >
DSS06.06 Key Management
DS5.8 APO13.01 312.8 and SRM > Cryptographic Services >
APO13.02 312.10 Key Management
APO09.03
BAI06.01
BAI09.01
BAI09.02
BAI09.03
DS5.8 APO13.01 312.8 and SRM > Data Protection >
DS5.10 DSS05.02 312.10 Cryptographic Services - Data-At-
DS5.11 DSS05.03 Rest Encryption,
DSS06.06 Cryptographic Services - Data-in-
Transit Encryption
APO01.06 SRM > Cryptographic Services >

BAI09.02 Key Management
BAI09.03
AI2.1 APO01.06 312.8 and SRM > Governance Risk &

AI2.2 APO03.02 Compliance > Technical Standards
AI3.3 APO13.01
DS2.3 APO13.02
DS11.6 BAI02.01
BAI02.03
BAI02.04
BAI06.01
BAI10.01
BAI10.02
MEA02.01
PO 9.1 EDM03.02 312.1 BOSS > Operational Risk

PO 9.2 APO01.03 Management > Independent Risk
PO 9.4 APO12.01 Management
DS 5.7 APO12.02
APO12.03
APO12.04
BAI09.01
DS5.3 APO01.03 312.8 and BOSS > Human Resources
DS5.4 APO01.04 Security > Roles and
DS5.5 APO01.08 Responsibilities
DSS01.01
R2 DS5.2 APO13.01 312.8 and SRM > InfoSec Management >

R2 DS5.5 APO13.02 312.10 Capabilitiy Mapping
APO13.03
DS5.1 APO01.02 312.8 and SRM > Governance Risk &

APO01.03 312.10 Compliance > Compliance
APO01.04 Management
APO01.08
APO13.01
APO13.02
APO13.03
DS5.2 APO01.03 312.8 and SRM > Policies and Standards >
APO01.04 312.10 Information Security Policies
APO13.01
APO13.02
PO 7.7 APO01.03 312.8 and SRM > Governance Risk &
APO01.08 312.10 Compliance >
APO07.04
PO 9.6 APO12 312.8 and BOSS > Operational Risk

APO13.01 Management > Risk Management
APO13.03 Framework
DS 5.2 APO12 312.8 and SRM > Governance Risk &

DS 5.4 APO13.01 312.10 Compliance > Policy Management
APO13.03
MEA03.01
MEA03.02
PO 9.4 APO12 312.8 and BOSS > Operational Risk
312.10 Management > Risk Management
Framework
PO 9.1 EDM03.02 312.8 and BOSS > Operational Risk

APO01.03 312.10 Management > Risk Management
APO12 Framework
APO01.08 312.3, BOSS > Human Resources Security

APO07.06 312.8 and
APO13.01 312.10
BAI09.03
PO 7.6 APO07.01 312.8 and BOSS > Human Resources
APO07.05 Security > Background Screening
APO07.06
DS 2.1 APO01.03 312.3, BOSS > Human Resources

APO13.01 312.8 and Security > Employee Code of
APO07.06 312.10 Conduct
APO09.03
APO10.01
APO07.05 312.10 Security > Roles and
APO07.06 Responsibilities
DS5.11 APO01.08 312.8 and Presentation Servies >

DS5.5 APO13.01 312.10 Presentation Platform > Endpoints
APO13.02 - Mobile Devices - Mobile Device
DSS05.01 Management
DSS05.02
DSS05.03
DSS05.07
DSS06.03
DSS06.06
APO01.02 312.8 and BOSS > Compliance > Intellectual P

APO01.03
APO01.08
APO07.06
APO09.03
DS5.1 APO01.02 312.3, 312 BOSS > Human Resources
APO10.04
APO01.03 Security > Roles and
APO13.01
APO01.08
APO13.03 Responsibilities
APO07.06
APO09.03
APO10.04
APO13.01
DS 5.3 APO01.03
APO13.03 312.4, SRM > Policies and Standards >
APO01.08 312.8 and Information Security Policies
APO13.01 312.10
APO13.02
DSS05.04
DSS06.06
PO 7.4 APO01.03 312.8 and SRM > GRC >
APO01.08 312.10
APO07.03
APO07.06
APO13.01
APO13.03

APO01.03 312.10 Security > Employee Awareness
APO01.08
APO07.03
APO07.06
APO13.01
APO13.03
APO01.02 312.8 and BOSS > Data Governance > Clear D
APO01.03
APO01.08
APO07.03
APO07.06
APO13.01
APO13.03
DSS05.03
DSS06.06
DS 5.7 APO01.03 312.8 and SRM > Privilege Management
APO01.08 Infrastructure > Privilege Usage
APO13.01 Management
APO13.02
DSS05.03
DSS05.05
DS 5.4 APO01.02 312.8 and SRM > Policies and Standards >
APO01.03 312.10
APO01.08
APO13.01
APO13.02
DSS05.04
DSS05.05
DSS05.06
DSS06.03
DSS06.06
DS5.7 APO13.01 312.8 and SRM > Privilege Management

DSS05.02 Infrastructure > Privilege Usage
DSS05.03 Management - Resource
DSS05.05 Protection
DSS06.06
APO01.03 SRM > Policies and Standards >

APO01.08 Information Security Policies
APO13.01
APO13.02
DSS05.02
DSS05.04
DSS06.06
DS 5.4 APO01.03 312.8 and ITOS > Resource Management >
APO01.08 312.10 Seggregation of Duties
APO13.02
DSS05.04
DSS06.03
APO01.03 ITOS > Service Support > Releas

APO01.08
APO13.02
DSS05.04
DSS06.03
DS 2.3 APO01.03 312.8 and SRM > Governance Risk &
APO01.08 Compliance > Vendor
APO07.06 Management
APO10.04
APO13.02
DSS05.04
DSS05.07
DSS06.03
DSS06.06
APO01.03 312.8 and Information Services > User
APO01.08 312.10 Directory Services > Active
APO10.04 Directory Services,
APO13.02 LDAP Repositories,
DSS05.04 X.500 Repositories,
DSS06.03 DBMS Repositories,
DSS06.06 Meta Directory Services,
Virtual Directory Services

APO01.08 312.10 Infrastructure > Identity
APO07.06 Management - Identity
APO10.04 Provisioning
APO13.02
DSS05.04
DSS06.03
DSS06.06

DS5.4 APO01.08 312.10 Infrastructure > Authorization
APO13.02 Services - Entitlement Review
DSS05.04
DSS06.03
DSS06.06
MEA01.03
DS 5.4 APO01.03 312.8 and SRM > Privilege Management
APO01.08 312.10 Infrastructure > Identity
APO13.02 Management - Identity
DSS05.04 Provisioning
DSS06.03
DSS06.06
MEA01.03
DS5.3 APO01.03 312.8 and SRM > Policies and Standards >
DS5.4 APO01.08 312.10 Technical Securitry Standards
APO13.02
DSS05.04
DSS06.03
DSS06.06
MEA01.03

APO13.02 Infrastructure > Privilege Usage
DSS05.05 Management - Resource
Protection
DS5.5 APO13.01 312.3, BOSS > Security Monitoring
DS5.6 APO13.02 312.8 and Services > SIEM
DS9.2 BAI10.01 312.10
BAI10.02
BAI10.03
DSS01.03
DSS02.01
DSS05.07
DSS06.05
APO08.04 SRM > Privilege Management

APO13.01 Infrastructure > Privileged Usage
BAI06.01 Management -> Hypervisor
BAI06.02 Governance and Compliance
BAI10.03
BAI10.04
DS5.7 APO01.08 312.8 and Infra Services > Network Services

APO13.01 312.10 > Authoritative Time Source
APO13.02
BAI03.05
DSS01.01
DS 3 APO01.03 312.8 and ITOS > Service Delivery >
APO01.08 Information Technology Resiliency
BAI04.01 - Capacity Planning
BAI04.04
BAI04.05
BAI10.01
BAI10.02
APO01.08 SRM > Threat and Vulnerability

APO04.02 Management > Vulnerability
APO04.03 Management
APO04.04
DSS05.03
DSS06.06
APO03.01 312.8 and SRM > Infrastructure Protection
APO03.02 312.10 Services > Network
APO13.01
APO13.02
BAI02.01
BAI03.02
BAI03.03
BAI03.04
BAI03.05
DSS05.02
DSS06.06

APO13.02 Operational Security Baselines
BAI02.01
BAI03.02
BAI03.03
BAI03.04
DS5.7 APO03.01
BAI03.05 312.8 and Information Services > Data
APO03.02
DSS05.01 312.10 Governance > Data Segregation
APO13.01
DSS05.03
APO13.02
DSS06.06
DSS05.02
DSS05.05
DSS06.06
DS5.10 APO03.01 312.8 and SRM > Infrastructure Protection
APO03.02 312.10 Services > Network - Firewall
APO13.01
APO13.02
DSS05.02
DSS05.05
DSS06.06
APO03.01 SRM > Cryptographic Services >

APO03.02 Data-in-transit Encryption
APO03.04
APO13.01
APO13.02
DSS05.02
DSS05.05
DSS06.06
APO13.01 SRM > Privilege Mangement
APO13.02 Infrastructure > Privilege Use
DSS05.02 Management - Hypervisor
DSS05.04 Governance and Compliance
DSS06.03
DSS06.06
DS5.5 APO01.08 312.8 and SRM > Infrastructure Protection

DS5.7 APO13.01 312.10 Services > Network - Wireless
DS5.8 APO13.02 Protection
DS5.10 DSS02.02
DSS05.02
DSS05.03
DSS05.04
DSS05.05
DSS05.07
DSS06.03
DSS06.06
BAI02.04 Application Services >

BAI03.01 Programming Interfaces >
BAI03.02
BAI03.03
APO01.03 Information Services > Reporting
BAI03.04
APO01.06 Services >
BAI03.05
APO03.01
APO08.01
APO09.03
DSS04.07
APO01.08
APO02.05
APO03.01
APO03.02
APO04.02 Information Technology Operation
BAI02.01 Services > Service Delivery >
BAI02.04 Service Level Management -
APO09.03 External SLA's
APO01.08 SRM > Data Protection >
APO02.05 Cryptographic Services - Data-In-
APO03.01 Transit Encryption
APO03.02
APO04.02
BAI02.01
APO01.08
BAI02.04 Infrastructure Services > Virtual
APO02.05
APO09.03 Infrastructure > Server
APO03.01 Virtualization
APO03.02
APO04.02
BAI02.01
APO01.03
BAI02.04 SRM > Governance Risk &
APO13.01
APO09.03 Compliance > Technical
APO07.03 Awareness and Training
APO07.06
APO09.03
APO01.08 Technical Securitry Standards
APO10.04
APO04.02
APO13.01
APO13.02
APO01.03 ITOS > Service Support >
APO13.03
APO01.08 Configuration Management -
APO13.01 Software Management
APO13.02
APO13.03
APO13.01
APO13.02
APO13.03
APO13.01
APO13.02
APO13.03
APO01.03 SRM > Governance Risk &
APO13.01 Management
APO13.02
APO01.03 ITOS > Service Support >
APO13.03
APO01.08 Configuration Management -
APO13.01 Software Management
APO13.02
BAI03.07
APO01.08 Information Security Policies
BAI03.08
APO13.01
BAI06.01 SRM > Infrastructure Protection
APO13.02
BAI06.02 Services > End Point - Inventory
BAI02.01
BAI06.04 Control
BAI02.04
BAI10.01
BAI10.02
BAI10.03
APO03.01 Presentation Servies >
APO03.02 Presentation Platform > End-
APO04.02 Points-Mobile Devices-Mobile
APO13.01
APO01.03 Device
SRM > Management
Data Protection >
APO13.02
APO13.01 Cryptographic Services - Data-At-
BAI02.01
APO13.02 Rest Encryption
BAI03.03
DSS05.03
APO01.03
BAI03.04 Presentation Servies >
DSS05.05
BAI03.10
DSS06.06
DSS05.03 Device Management

APO13.01 Information Security Services
APO13.02
DSS05.03 Presentation Servies >

DSS05.05 Presentation Platform > End-
Points-Mobile Devices-Mobile
APO01.03 Device
ITOS > Management
Service Support -Change
APO13.01 Management > Planned Changes
APO13.02
BAI06
APO01.03 Presentation Servies >
DSS05.03 Device Management

APO13.02
DSS05.01
DSS05.03
APO01.03 BOSS > Data Governance >
APO13.01 Secure Disposal of Data
APO13.02
DSS05.03
DSS05.05
APO01.03
DSS05.06 SRM > Infrastructure Protection
APO13.01 Services->Network > Link Layer
APO13.02 Network Security
DSS05.03
DSS05.05
DSS05.06

APO13.01 Technical Security Standards
APO13.02
ME 3.1 APO01.01 312.4 BOSS > Compliance >
APO01.02 Contact/Authority Maintenance
APO01.03
APO01.08
MEA03.01
MEA03.02
MEA03.03
DS5.6 APO01.03 312.8 and ITOS > Service Support > Security
APO13.01 312.10 Incident Management
APO13.02
DSS01.03
DSS02.01
DSS02.02
DSS02.04
DSS02.05
DSS02.06
DS5.6 APO01.03 312.3, BOSS > Human Resources

APO07.06 312.8 and Security > Employee Awareness
APO07.03 312.10
APO13.01
APO13.02
DSS02.01
DS5.6 APO01.03 312.8 and BOSS > Legal Services > Incident
APO13.01 312.10 Response Legal Preparation
APO13.02
DSS01.03
DSS02.01
DSS02.02
DSS02.04
DSS02.05
DSS02.06
DS 4.9 DSS04.07 312.8 and BOSS > Operational Risk

312.10 Management > Key Risk Indicators
APO10 SRM > Governance Risk &

APO11 Compliance > Vendor
DSS05.04 Management
DSS06.03
DSS06.06
APO09.03 ITOS > Service Support -> Incident

APO09.04 Management > Cross Cloud
APO10.04 Incident Response
APO10.05
DSS02.07
DS5.10 APO01.03 312.8 and ITOS > Service Delivery > Service
APO03.01 Level Management
APO03.02
APO09.03
BAI02.01
BAI02.04
BAI07.05
MEA01 SRM > Governance Risk &
MEA02 Compliance > Vendor
Management
DS5.11
312.3,
APO09.03 312.8 and BOSS > Legal Services >
APO09.05 312.10 Contracts

MEA01 Management
APO01.03 ITOS > Service Delivery > Servic
APO09.03
APO09.04
APO09.05
APO10.01
APO10.03
APO10.04
MEA01 Compliance > Vendor
MEA02 Management
ME 2.6
DS 2.1
DS 2.4
312.2(a)
and 312.3
(Prohibitio
APO01.08 n on
APO10.05 Disclosure BOSS > Compliance > Third-Party
MEA02.01 ) Audits
DS5.9
APO01.03
APO13.01
APO13.02 312.8 and SRM > Infrastructure Protection
DSS05.01 312.10 Services > Anti-Virus
AI6.1
AI3.3
DS5.9
APO01.03
APO13.01
APO13.02
BAI06.01
BAI06.02
BAI06.03
BAI06.04
DSS01.01
DSS01.02
DSS01.03
DSS03.05
DSS05.01 SRM > Threat and Vulnerability
DSS05.03 312.8 and Management > Vulnerability
DSS05.07 312.10 Management
APO01.03
APO13.01
APO13.02
DSS05.01
DSS05.02 SRM > Infrastructure Protection
DSS05.03 312.8 and Services > End Point - White
DSS05.04 312.10 Listing
rprise Architecture CSA Guidance
ENISA IAF
usted Cloud Initiative) V3.0
Public Private
shared x Domain 10 6.03.01. (c)
shared x Domain 10
shared x Domain 10
shared x Domain 10 6.02. (b)

6.04.03. (a)
shared x Domain 2, 4 6.01. (d)
shared x Domian 2, 4 6.03. (e)

6.07.01. (m)
6.07.01. (n)
shared x Domain 2, 4 6.10. (a)
6.10. (b)
6.10. (c)
6.10. (d)
6.10. (e)
6.10. (f)
6.10. (g)
6.10. (h)
6.10. (i)
provider x Domain 7, 8 6.07. (a)

6.07. (b)
6.07. (c)
provider x Domain 7, 8 6.07.01. (b)
6.07.01. (j)
6.07.01. (l)

6.09. (c)
6.09. (f)
6.09. (g)
shared x Domain 7, 8
provider x Domain 7, 8 6.07. (d)

6.08. (a)
6.09. (a)
6.09. (b)
6.09. (d)
provider x Domain 7, 8 6.07. (d)

6.08. (a)
6.09. (a)
6.09. (b)
6.09. (d)
provider x Domain 7, 8 6.09. (h)

6.09. (e)
6.09. (f)

6.03.03. (c)
6.07. (a)
6.07. (b)
6.07. (c)
shared x Domain 7, 8 6.03. (c)
shared x Domain 5 6.03. (h)

6.07.01. (c)
shared x None 6.03. (a)
shared x None
shared x None 6.03.01. (b)
6.03.01. (d)
shared x None
shared x Domain 5 6.04.03. (a)
Domain 5 6.10. (a)

6.10. (b)
6.10. (c)
6.10. (d)
6.10. (e)
shared x Domain 2
shared x Domain 5 6.03.05. (b)
shared x Domain 5 6.03. (d)
shared x Domain 5
shared x Domain 5 6.03. (h)
provider x Domain 8
provider x Domain 8 6.08. (a)

6.09. (i)
Domain 10 6.05. (a)

6.09. (j)

6.05. (b)
6.05. (c)
6.09. (i)

6.09. (i)

6.09. (j)
Domain 8 6.08. (a)

6.09. (i)

6.04.04. (b)
6.04.04. (c)
6.04.04. (d)
6.04.04. (e)
6.04.05. (d)
6.04.05. (e)
6.04.08.02. (b)
6.04.05. (c)
shared x Domain 11

6.03.04. (a)
6.03.04. (b)
6.03.04. (c)
6.03.04. (e)
6.07.01. (o)

6.04.03. (a)
shared x Domain 2
shared x Domain 2
shared x Domain 2 6.02. (e)

shared x Domain 2
shared x Domian 2, 4 6.03. (a)
shared x Domain 2
6.08. (a)
provider x Domain 2
shared x None
shared x None
shared x Domain 2
shared x Domain 3
shared x Domain 2
shared x Domain 2
shared x Domain 2 6.01. (c)
6.02. (e)
shared x Domain 2
shared x Domain 2
shared x Domain 2 6.03. (i)

6.03. (j)
shared x Domain 2 6.01. (b)
6.01. (d)
6.02. (e)
6.03. (b)
6.03.04. (b)
6.03.04. (c)
6.03.05. (b)
6.03.05. (d)
6.03.06. (b)
6.04.01. (c)
6.04.01. (f)
6.04.02. (a)
6.04.02. (b)
6.04.02. (c)
6.04.03. (b)
6.04.06. (a)
6.04.08. (a)
6.04.08. (b)
6.04.08. (c)
6.04.08.03. (a)
6.04.08.03. (b)
provider x Domain 2
Domain 12
shared x Domain 2 6.04.01. (d)
6.04.08.02. (a)
shared x Domain 2

6.02. (b)
6.03. (a)
shared x Domain 12

6.03.04. (c)
6.03.05. (d)
6.03.06. (a)
6.03.06. (b)
6.04.01. (a)
6.04.01. (b)
6.04.01. (d)
6.04.01. (e)
6.04.01. (g)
6.04.03. (c)
6.04.08.02. (a)
shared x Domain 2
6.03.04. (c)
6.03.05. (d)
6.03.06. (a)
6.04.02. (b)

6.03.04. (c)
6.03.05. (d)
6.04.05. (b)
shared x Domain 2
shared x Domain 10 6.03. (i)
6.03. (j)
6.03.03. (a)
6.03.03. (d)
6.03.04. (e)
6.04.07. (a)
6.07.01. (a)
6.07.01. (c)
provider x Domain 10 6.03. (k)
provider x Domain 7, 8 6.03.07. (a)

6.03.07. (b)
6.03.07. (c)
6.03.07. (d)
provider x Domain 1, 13
provider x Domain 10 6.03.03. (a)
6.03.03. (d)
6.03.04. (d)
6.04.07. (a)
6.07.01. (c)
provider x Domain 10 6.03.03. (b)

6.03.05. (a)
6.03.05. (b)
6.04.01. (a)
6.04.01. (g)
6.04.03. (c)
6.04.08.02. (a)
6.04.08.02. (b)
6.05. (c)
provider X Domain 1, 13
provider X Domain 1, 13
provider X Domain 10
provider X Domain 6
provider Domain 6
Domain 3 6.04.03. (b)
6.04.08. (a)
6.04.08. (b)
6.06. (a)
6.06. (b)
6.06. (c)
6.06. (d)
6.06. (e)
6.06. (f)
provider
provider x Domain 6
provider X Domain 6
provider X None (Mobile

Guidance)

Guidance)

Guidance)

Guidance)

Guidance)

Guidance)

Guidance)

Guidance)
Guidance)
Guidance)

Guidance)

Guidance)
shared X None (Mobile

Guidance)

Guidance)

Guidance)

Guidance)

Guidance)

Guidance)

Guidance)

Guidance)

6.07.01. (a)
6.07.01. (d)
6.07.01. (e)
6.07.01. (f)
6.07.01. (g)
6.07.01. (h)

6.07.01. (f)
6.07.01. (h)

6.07.01. (i)
provider X Domain 2
provider Domain 2
provider x Domain 2 6.02. (c)

6.03.07. (a)
6.03.07. (b)
6.03.07. (c)
6.03.07. (d)
provider x Domain 2
Domain 3 6.02. (e)

6.10. (h)
6.10. (i)
shared x
Domain 2
provider x
provider x Domain 3 6.02. (c)
6.02. (d)
6.07.01. (k)
Domain 2
provider x
Domain 2, 4 6.02. (b)
6.02. (d)
shared x
Domain 2 6.03. (f)
shared x
Domain 2 6.03.02. (a)
6.03.02. (b)
6.03.05. (c)
6.07.01. (o)
shared x
Domain 10 6.03. (g)
shared x
FedRAMP CLOUD CONTROLS MATRIX
FedRAMP Security Controls

95/46/EC - European Union Data Protection Directive (Final Release, Jan 2012)
--LOW IMPACT LEVEL--
Article: 27 (3) NIST SP 800-53 R3 SC-5

NIST SP 800-53 R3 SC-6
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-14
Article 17 (1), (2) NIST SP 800-53 R3 CA-1

NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 SI-2
Article 17 (1), (2),(3), (4) NIST SP 800-53 R3 AC-1

NIST SP 800-53 R3 SC-13

NIST SP 800-53 R3 CA-2 (1)

NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 RA-5
NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AT-1
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 IA-1
NIST SP 800-53 R3 IR-1
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PS-1
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SC-13
Article 17 (1), (2) NIST SP800-53 R3 CP-1

NIST SP800-53 R3 CP-2
Article 17 (1), (2) NIST SP800-53 R3 PE-1

NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
Article 17 NIST SP 800-53 R3 CP-9

NIST SP 800-53 R3 CP-10


Article 17 (1) NIST SP 800-53 R3 MA-2

Article 17 (1), (2) NIST SP 800-53 R3 CP-1

Article 6(1) e NIST SP 800-53 R3 CP-2



Article 4 (1), NIST SP 800-53 R3 RA-2

Article 12, Article 17
Article 17 NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-22

Article 23 NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 SI-12
Article 4 NIST SP 800-53 R3 CA-2

NIST SP 800-53 R3 CA-2 (1)
Article 16 NIST SP 800-53 R3 MP-6
Article 17 NIST SP 800-53 R3 PE-1
Article 17

Article 17 NIST SP 800-53 R3 IA-4

NIST SP 800-53 R3 PE-16
Article 17 NIST SP 800-53 R3 CM-8


NIST SP 800-53 R3 PE-16
Article 17 NIST SP 800-53 R3 MA-1

NIST SP 800-53 R3 PE-16

Article 17 NIST SP 800-53 R3 SC-12

NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 SC-13

Article 6, Article 8, Article 17 (1) NIST SP 800-53 R3 CA-3

NIST SP 800-53 R3 SI-12
Article 17

Article 17 NIST SP 800-53 R3 PL-4
Article 17 (1), (2) NIST SP 800-53 R3 AC-1


NIST SP 800-53 R3 IA-5 (1)
Article 17 (1), (2) NIST SP 800-53 R3 CM-1

Article 17 NIST SP 800-53 R3 PS-4



NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-19


Article 5, Article 6 NIST SP 800-53 R3 AC-2

NIST SP 800-53 R3 AC-20
Article 17 NIST SP 800-53 R3 AT-2



NIST SP 800-53 R3 AC-14

Article 17

NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-5 (1)


NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 IA-2 (1)
NIST SP 800-53 R3 IA-5 (1)

Article 17 NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AU-11
NIST SP 800-53 R3 AU-12

Article 17 (1) NIST SP 800-53 R3 SA-4

NIST SP 800-53 R3 SC-20 (1)
Article 17 NIST SP 800-53 R3 SC-7

NIST SP 800-53 R3 AC-18
Article 17 NIST SP 800-53 R3 IR-1

Article 17 NIST SP 800-53 R3 IR-2

NIST SP 800-53 R3 AU-11

Article 17 NIST SP 800-53 R3 CA-3

Article 17 (3)
Article 17(2)
Article 17
Article 17
Article 17
LOUD CONTROLS MATRIX v3.0.1 Candidate Mapping

(NIST SP 800-53 R4)
(Final Release, Jan 2012) FERPA
--MODERATE IMPACT
--MODERATE IMPACT LEVEL--
LEVEL--
NIST SP 800-53 R3 SA-8 SA-8

NIST SP 800-53 R3 SC-2 SC-2
NIST SP 800-53 R3 SC-7 (1) SC-7(3)
NIST SP 800-53 R3 SC-7 (2) SC-7(4)
NIST SP 800-53 R3 SC-7 (3) SC-7(5)
NIST SP 800-53 R3 SC-7 (4) SC-7(7)
NIST SP 800-53 R3 SC-7 (5) SC-7(8)
NIST SP 800-53 R3 SC-7 (7) SC-7(12)
NIST SP 800-53 R3 SC-7 (8) SC-7(13)
NIST SP 800-53 R3 SC-7 (12) SC-7(18)
NIST SP 800-53 R3 SC-7 (13) SC-8
NIST SP 800-53 R3 SC-7 (18) SC-8(1)
NIST SP 800-53 R3 SC-8 SC-10
NIST SP 800-53 R3 SC-8 (1) SC-13
NIST SP 800-53 R3 SC-9 SC-17
NIST SP 800-53 R3 SC-9 (1) SC-18
NIST SP 800-53 R3 SC-10
NIST SP 800-53 R3 SC-11
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-12 (2)
NIST SP 800-53 R3 SC-12 (5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-14
NIST SP 800-53 R3 SC-17
NIST SP 800-53 R3 SC-18
NIST SP 800-53 R3 CA-1 CA-1

NIST SP 800-53 R3 CA-2 (1) CA-6
NIST SP 800-53 R3 SI-2 AC-2
NIST SP 800-53 R3 SI-2 (2) AC-3
NIST SP 800-53 R3 SI-3 AC-5
NIST SP 800-53 R3 SI-3 (1) AC-6
NIST SP 800-53 R3 SI-3 (2) AC-6(10)
NIST SP 800-53 R3 SI-3 (3) SI-2
NIST SP 800-53 R3 SI-4 SI-2(3)
NIST SP 800-53 R3 SI-4 (2) SI-3
NIST SP 800-53 R3 SI-4 (4) SI-3(1)
NIST SP 800-53 R3 SI-4 (5) SI-3(2)
NIST SP 800-53 R3 SI-4 (6) SI-4
NIST SP 800-53 R3 SI-6 SI-4(2)
NIST SP 800-53 R3 SI-7 SI-4(4)
NIST SP 800-53 R3 SI-7 (1) SI-4(5)
NIST SP 800-53 R3 SI-9 SI-6
NIST SP 800-53 R3 SI-10 SI-7
NIST SP 800-53 R3 SI-11 SI-7(1)
SI-7(7)
SI-10
NIST SP 800-53 R3 AC-1 SI-11
AC-4
NIST SP 800-53 R3 AC-4 SC-1
NIST SP 800-53 R3 SC-8 SC-8(1)

NIST SP 800-53 R3 CA-2 (1) CA-2(1)
NIST SP 800-53 R3 CA-7 (2)

NIST SP 800-53 R3 CA-2 (1) CA-2(1)
NIST SP 800-53 R3 RA-5 CA-8
NIST SP 800-53 R3 RA-5 (1) RA-5
NIST SP 800-53 R3 RA-5 (2) RA-5(1)
NIST SP 800-53 R3 RA-5 (3) RA-5(2)
NIST SP 800-53 R3 RA-5 (6) RA-5(3)
NIST SP 800-53 R3 RA-5 (9) RA-5(6)
NIST SP 800-53 R3 AC-1 AC-1
NIST SP 800-53 R3 AT-1 AT-1
NIST SP 800-53 R3 AU-1 AU-1
NIST SP 800-53 R3 CM-1 CM-1
NIST SP 800-53 R3 CP-1 CP-1
NIST SP 800-53 R3 IA-1 IA-1
NIST SP 800-53 R3 IR-1 IR-1
NIST SP 800-53 R3 MA-1 MA-1
NIST SP 800-53 R3 MP-1 MP-1
NIST SP 800-53 R3 PE-1 PE-1
NIST SP 800-53 R3 PL-1 PL-1
NIST SP 800-53 R3 PS-1 PS-1
NIST SP 800-53 R3 RA-1 RA-1
NIST SP 800-53 R3 SA-6 SC-1
NIST SP 800-53 R3 SC-1 SC-13
NIST SP 800-53 R3 SC-13 SI-1
NIST SP 800-53 R3 SC-13 (1) SI-7
NIST SP 800-53 R3 SC-30
NIST SP800-53 R3 CP-1 CP-1

NIST SP800-53 R3 CP-2 (1) CP-2(1)
NIST SP800-53 R3 CP-2 (2) CP-2(2)
NIST SP800-53 R3 CP-4 (1) CP-4(1)
NIST SP800-53 R3 CP-6 (1) CP-6(1)
NIST SP800-53 R3 CP-6 (3) CP-6(3)
NIST SP800-53 R3 CP-7 (1) CP-7(1)
NIST SP800-53 R3 CP-7 (2) CP-7(2)
NIST SP800-53 R3 CP-7 (3) CP-7(3)
NIST SP800-53 R3 CP-7 (5) CP-8
NIST SP800-53 R3 CP-8 CP-8(1)
NIST SP800-53 R3 CP-8 (1) CP-8(2)
NIST SP800-53 R3 CP-8 (2) CP-9
NIST SP800-53 R3 CP-9 CP-9(1)
NIST SP800-53 R3 CP-9 (1) CP-9(3)
NIST SP800-53 R3 CP-9 (3) CP-10
NIST SP800-53 R3 CP-10 CP-10(2)
NIST SP800-53 R3 CP-10 (2) IR-9(1)
NIST SP800-53 R3 CP-10 (3) PE-17
NIST SP800-53 R3 CP-2 (1) CP-2(1)
NIST SP800-53 R3 CP-2 (2) CP-2(2)
NIST SP800-53 R3 CP-4 (1) CP-4(1)
IR-9(2)
NIST SP800-53 R3 PE-1 IR-9(4)
IR-9(3)
NIST SP800-53 R3 PE-4 PE-1
NIST SP800-53 R3 PE-13 (1) PE-13
NIST SP800-53 R3 PE-13 (2) PE-13(2)
NIST SP800-53 R3 PE-13 (3) PE-13(3)
NIST SP 800-53 R3 CP-9 AC-6(5)

NIST SP 800-53 R3 CP-9 (1) CP-9
NIST SP 800-53 R3 CP-9 (3) CP-9(1)
NIST SP 800-53 R3 CP-10 CP-9(3)
NIST SP 800-53 R3 CP-10 (2) CP-10
NIST SP 800-53 R3 CP-10 (3) CP-10(2)
NIST SP 800-53 R3 SA-5 SA-4(1)
NIST SP 800-53 R3 SA-5 (1) SA-4(2)
NIST SP 800-53 R3 SA-5 (3) SA-5
NIST SP 800-53 R3 SA-10 SA-10
NIST SP 800-53 R3 SA-11 SA-11
NIST SP 800-53 R3 SA-11 (1) SA-11(1)

NIST SP800-53 R3 PE-13 PE-13
NIST SP800-53 R3 PE-13 (1) PE-13(2)
NIST SP800-53 R3 PE-13 (2) PE-13(3)
NIST SP800-53 R3 PE-13 (3) PE-14
NIST SP800-53 R3 PE-14 PE-15
NIST SP800-53 R3 PE-1 IR-9(4)

NIST SP800-53 R3 PE-15 PE-14
NIST SP800-53 R3 PE-18 PE-15
NIST SP 800-53 R3 MA-2 IR-3(2)

NIST SP 800-53 R3 MA-2 (1) MA-2
NIST SP 800-53 R3 MA-3 (1) MA-3(1)
NIST SP 800-53 R3 MA-3 (2) MA-3(2)
NIST SP 800-53 R3 MA-3 (3) MA-3(3)
NIST SP 800-53 R3 MA-4 (1) MA-4(2)
NIST SP 800-53 R3 MA-4 (2) MA-5
NIST SP800-53 R3 CP-8 (1) CP-8(1)
NIST SP800-53 R3 CP-8 (2) CP-8(2)
NIST SP800-53 R3 PE-1 IR-3(2)
NIST SP800-53 R3 PE-11 PE-10
NIST SP800-53 R3 PE-12 PE-11
NIST SP800-53 R3 PE-13 PE-12
NIST SP800-53 R3 PE-13 (1) PE-13
NIST SP800-53 R3 PE-13 (2) PE-13(2)
NIST SP800-53 R3 PE-13 (3) PE-13(3)
NIST SP800-53 R3 PE-14 PE-14

NIST SP 800-53 R3 RA-3 CP-2(3)
CP-2(8)
RA-3
NIST SP 800-53 R3 CM-2 (1) CM-2 (1)
NIST SP 800-53 R3 CM-2 (3) CM-2 (3)
NIST SP 800-53 R3 CM-2 (5) CM-2 (7)
NIST SP 800-53 R3 CM-3 (2) CM-4
NIST SP 800-53 R3 CM-6 CM-6 (1)
NIST SP 800-53 R3 CM-6 (1) CM-9
NIST SP 800-53 R3 CM-6 (3) IR-9 (2)
NIST SP 800-53 R3 CM-9 MA-4
NIST SP 800-53 R3 MA-4 MA-4 (2)
NIST SP 800-53 R3 MA-4 (1) SA-3
NIST SP 800-53 R3 MA-4 (2) SA-4
NIST SP 800-53 R3 SA-3 SA-4 (1)
NIST SP 800-53 R3 SA-4 SA-4 (2)
NIST SP 800-53 R3 SA-4 (1) SA-5
NIST SP 800-53 R3 SA-4 (4) SA-8
NIST SP 800-53 R3 SA-4 (7) SA-10
NIST SP 800-53 R3 SA-5 SA-11
NIST SP 800-53 R3 SA-5 (1) SA-11 (1)
NIST SP 800-53 R3 SA-5 (3) SI-7
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12

NIST SP 800-53 R3 CP-2 (1) CP-2 (1)
NIST SP 800-53 R3 CP-2 (2) CP-2 (2)
NIST SP 800-53 R3 CP-6 (1) CP-6 (1)
NIST SP 800-53 R3 CP-6 (3) CP-6 (3)
NIST SP 800-53 R3 CP-7 (1) CP-7 (1)
NIST SP 800-53 R3 CP-7 (2) CP-7 (2)
NIST SP 800-53 R3 CP-7 (3) CP-7 (3)
NIST SP 800-53 R3 CP-7 (5) CP-8
NIST SP 800-53 R3 CP-8 CP-8 (1)
NIST SP 800-53 R3 CP-8 (1) CP-8 (2)
NIST SP 800-53 R3 CP-8 (2) CP-9
NIST SP 800-53 R3 CP-9 CP-9 (1)
NIST SP 800-53 R3 CP-9 (1) CP-9 (3)
NIST SP 800-53 R3 CP-9 (3)
NIST SP 800-53 R3 PL-2 SA-1
NIST SP 800-53 R3 SA-4 SA-4 (1)
NIST SP 800-53 R3 SA-4 (1) SA-10 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)

NIST SP 800-53 R3 SA-4 (1) SA-4 (1)
NIST SP 800-53 R3 SA-4 (4) SA-4 (2)
NIST SP 800-53 R3 SA-4 (7) SA-4 (9)
NIST SP 800-53 R3 SA-5 (1) SA-8
NIST SP 800-53 R3 SA-5 (3) SA-9
NIST SP 800-53 R3 SA-8 SA-9 (1)
NIST SP 800-53 R3 SA-9 SA-10
NIST SP 800-53 R3 SA-9 (1) SA-10 (1)
NIST SP 800-53 R3 SA-10 SA-11
NIST SP 800-53 R3 SA-11 SA 11 (1)
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12
NIST SP 800-53 R3 CM-2 (1) CM-2 (1)
NIST SP 800-53 R3 CM-2 (3) CM-2 (2)
NIST SP 800-53 R3 CM-2 (5) CM-2 (3)
NIST SP 800-53 R3 SA-3 CM-2 (7)
NIST SP 800-53 R3 SA-4 (1) SA-4
NIST SP 800-53 R3 SA-4 (4) SA-4 (1)
NIST SP 800-53 R3 SA-4 (7) SA-4 (2)
NIST SP 800-53 R3 SA-5 (1) SA-8
NIST SP 800-53 R3 SA-5 (3) SA-10
NIST SP 800-53 R3 SA-8 SA-10 (1)
NIST SP 800-53 R3 SA-10 SA-11
NIST SP 800-53 R3 SA-11 SA-11 (1)
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 CM-1 AC-6 (10)

NIST SP 800-53 R3 CM-2 (1) CM-2
NIST SP 800-53 R3 CM-2 (3) CM-2 (1)
NIST SP 800-53 R3 CM-2 (5) CM-2 (3)
NIST SP 800-53 R3 CM-3 CM-2 (7)
NIST SP 800-53 R3 CM-3 (2) CM-3
NIST SP 800-53 R3 CM-5 (1) CM-5 (1)
NIST SP 800-53 R3 CM-5 (5) CM-5 (3)
NIST SP 800-53 R3 CM-7 CM-5 (5)
NIST SP 800-53 R3 CM-7 (1) CM-7
NIST SP 800-53 R3 CM-8 CM-7 (1)
NIST SP 800-53 R3 CM-8 (1) CM-8
NIST SP 800-53 R3 CM-8 (3) CM-8 (1)
NIST SP 800-53 R3 CM-8 (5) CM-8 (3)
NIST SP 800-53 R3 CM-9 CM-8 (5)
NIST SP 800-53 R3 SA-6 CM-9
NIST SP 800-53 R3 SA-7 CM-10
NIST SP 800-53 R3 SI-1 CM-10 (1)
NIST SP 800-53 R3 SI-3 (1) SI-3
NIST SP 800-53 R3 SI-3 (2) SI-3 (1)
NIST SP 800-53 R3 SI-3 (3) SI-3 (2)
NIST SP 800-53 R3 SI-4 (2) SI-4 (2)
NIST SP 800-53 R3 SI-4 (4) SI-4 (4)
NIST SP 800-53 R3 SI-4 (5) SI-4 (5)
NIST SP 800-53 R3 SI-4 (6) SI-7
NIST SP 800-53 R3 SI-7 SI-7 (1)
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 CA-7 (2) CM-2
NIST SP 800-53 R3 CM-2 CM-2 (1)
NIST SP 800-53 R3 CM-2 (1) CM-2 (2)
NIST SP 800-53 R3 CM-2 (3) CM-2 (3)
NIST SP 800-53 R3 CM-2 (5) CM-2 (7)
NIST SP 800-53 R3 CM-3 (2) CM-5
NIST SP 800-53 R3 CM-5 CM-5 (1)
NIST SP 800-53 R3 CM-5 (1) CM-5 (5)
NIST SP 800-53 R3 CM-5 (5) CM-6
NIST SP 800-53 R3 CM-6 CM-6 (1)
NIST SP 800-53 R3 CM-6 (1) CM-9
NIST SP 800-53 R3 CM-6 (3) SI-2
NIST SP 800-53 R3 CM-9 SI-2 (2)
NIST SP 800-53 R3 PL-2 SI-6
NIST SP 800-53 R3 PL-5 SI-7
NIST SP 800-53 R3 SI-2 SI-7 (1)
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 RA-2 AC-4

NIST SP 800-53 R3 AC-4 RA-2
NIST SP 800-53 R3 SC-30

NIST SP 800-53 R3 AC-22 AC-1
NIST SP 800-53 R3 AU-10 AC-22
NIST SP 800-53 R3 AU-10 (5) SC-8
NIST SP 800-53 R3 SC-8 SC-8(1)
NIST SP 800-53 R3 SC-8 (1) SI-7
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 AC-1 AC-1 99.31.(a)(1)(ii)

NIST SP 800-53 R3 AC-16 MP-1
NIST SP 800-53 R3 MP-3 PE-16
NIST SP 800-53 R3 PE-16 SI-1
NIST SP 800-53 R3 SC-9 SI-12
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SI-12
NIST SP 800-53 R3 SA-11 AC-4(21)

NIST SP 800-53 R3 SA-11 (1) SA-11
SA-11(1)
NIST SP 800-53 R3 CA-2 AC-4(21)

NIST SP 800-53 R3 CA-2 (1) MP-7(1)
NIST SP 800-53 R3 RA-2 SA-2
NIST SP 800-53 R3 SA-2 RA-2
NIST SP 800-53 R3 MP-6 AC-4(21)
NIST SP 800-53 R3 MP-6 (4) PE-1
MP-7
MP-7(1)
NIST SP 800-53 R3 PE-2 PE-2 99.31.a.1.ii

NIST SP 800-53 R3 PE-6 (1) PE-6(1)
NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-18

NIST SP 800-53 R3 IA-4 (4) IA-4(4)
NIST SP 800-53 R3 AC-17 AC-1

NIST SP 800-53 R3 AC-17 (1) AC-17
NIST SP 800-53 R3 AC-17 (2) AC-17(1)
NIST SP 800-53 R3 AC-17 (3) AC-17(2)
NIST SP 800-53 R3 AC-17 (4) AC-17(3)
NIST SP 800-53 R3 AC-17 (5) AC-17(4)
NIST SP 800-53 R3 AC-17 (7) MA-1
NIST SP 800-53 R3 AC-17 (8) PE1
NIST SP 800-53 R3 MA-1 PE-16
NIST SP 800-53 R3 PE-1 PE-17
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-17

NIST SP 800-53 R3 CM-8 (1) CM-8(1)
NIST SP 800-53 R3 CM-8 (3) CM-8(3)
NIST SP 800-53 R3 CM-8 (5) CM-8(5)
NIST SP 800-53 R3 SC-30 MP-6
MP-6(2)
NIST SP 800-53 R3 PE-2 PE-2 99.31.a.1.ii
NIST SP 800-53 R3 PE-6 (1) PE-6(1)
NIST SP 800-53 R3 PE-7 PE-16 99.31.a.1.ii

NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-18
NIST SP 800-53 R3 MA-1 MA-1 99.31.a.1.ii

NIST SP 800-53 R3 MA-2 (1) PE-16
NIST SP 800-53 R3 PE-16 SC-39
NIST SP 800-53 R3 PE-2 PE-2 99.31.a.1.ii

NIST SP 800-53 R3 PE-6 (1) PE-6(1)
NIST SP 800-53 R3 PE-18
NIST SP 800-53 R3 SC-12 SC-12

NIST SP 800-53 R3 SC-12 (2) SC-13
NIST SP 800-53 R3 SC-12 (5) SC-17
NIST SP 800-53 R3 SC-13 SC-28(1)
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-17
NIST SP 800-53 R3 AC-18 AC-1
NIST SP 800-53 R3 AC-18 (1) AC-18
NIST SP 800-53 R3 AC-18 (2) AC-18(1)
NIST SP 800-53 R3 SC-7 SC-7(4)
NIST SP 800-53 R3 SC-7 (4) SC-8
NIST SP 800-53 R3 SC-8 SC-8(1)
NIST SP 800-53 R3 SC-8 (1) SC-13
NIST SP 800-53 R3 SC-9 SC-23
NIST SP 800-53 R3 SC-9 (1) SC-28
NIST SP 800-53 R3 SC-13 SC-28(1)
NIST SP 800-53 R3 SC-13 (1) SI-8
NIST SP 800-53 R3 SC-23
NIST SP 800-53 R3 SC-28
SC-12

NIST SP 800-53 R3 CM-2 (1) CM-2(1)
NIST SP 800-53 R3 CM-2 (3) CM-2(3)
NIST SP 800-53 R3 CM-2 (5) CM-2(7)
NIST SP 800-53 R3 SA-2 CM-10(1)
NIST SP 800-53 R3 SA-4 CM-11
NIST SP 800-53 R3 SA-4 (1) SA-2
NIST SP 800-53 R3 SA-4 (4) SA-4
NIST SP 800-53 R3 SA-4 (7) SA-4(1)
NIST SP 800-53 R3 SC-30
NIST SP 800-53 R3 CA-3 AC-6(9)

NIST SP 800-53 R3 RA-2 AC-21
NIST SP 800-53 R3 RA-3 CA-3
NIST SP 800-53 R3 SI-12 RA-2
RA-3
SI-12
NIST SP 800-53 R3 CA-7 (2)
AC-6(5) 99.31.(a)(1)(ii)

NIST SP 800-53 R3 PL-4 PS-1 99.31(a)(i)(ii)


NIST SP 800-53 R3 IA-5 (1) IA-5(1)
NIST SP 800-53 R3 IA-5 (2) IA-5(2)
NIST SP 800-53 R3 IA-5 (3) IA-5(3)
NIST SP 800-53 R3 IA-5 (6) IA-5(6)
NIST SP 800-53 R3 IA-5 (7) IA-5(7)
NIST SP 800-53 R3 SC-30

NIST SP 800-53 R3 AT-1 AC-6(10)
NIST SP 800-53 R3 AU-1 AT-1
NIST SP 800-53 R3 CA-1 AU-1
NIST SP 800-53 R3 PL-1 CA-7
NIST SP 800-53 R3 RA-1 CM-1
NIST SP 800-53 R3 RA-2 PL-1
NIST SP 800-53 R3 SA-9 (1) RA-2
NIST SP 800-53 R3 SC-30 RA-3
NIST SP 800-53 R3 SI-4 SA-9(1)
NIST SP 800-53 R3 SI-4 (2) SI-4
NIST SP 800-53 R3 SI-4 (4) SI-4(2)
NIST SP 800-53 R3 SI-4 (5) SI-4(4)
NIST SP 800-53 R3 SI-4 (6) SI-4(5)

PS-3 (3)

NIST SP 800-53 R3 PS-5 PS-
NIST SP 800-53 R3 PS-6 5
PS-8
NIST SP 800-53 R3 AC-17 AC-1

NIST SP 800-53 R3 AC-17 (1) AC-17
NIST SP 800-53 R3 AC-17 (2) AC-17 (1)
NIST SP 800-53 R3 AC-17 (3) AC-17 (2)
NIST SP 800-53 R3 AC-17 (4) AC-17 (3)
NIST SP 800-53 R3 AC-17 (5) AC-17 (4)
NIST SP 800-53 R3 AC-17 (7) AC-18
NIST SP 800-53 R3 AC-17 (8) AC-18 (1)
NIST SP 800-53 R3 AC-18 AC-19
NIST SP 800-53 R3 AC-18 (1) MP-2
NIST SP 800-53 R3 AC-18 (2) MP-4
NIST SP 800-53 R3 AC-19 MP-7
NIST SP 800-53 R3 AC-19 (1)
NIST SP 800-53 R3 AC-19 (2)
NIST SP 800-53 R3 AC-19 (3)
NIST SP 800-53 R3 MP-2 (1)
NIST SP 800-53 R3 MP-4 (1)
NIST SP 800-53 R3 MP-6 (4)
NIST SP 800-53 R3 PL-4 PS- 6

NIST SP 800-53 R3 PS-6 SA-9
NIST SP 800-53 R3 SA-9 SA-9 (1)
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 PL-4 PS-1 99.31(a)(1)(ii)

NIST SP 800-53 R3 AC-20 AC-20
NIST SP 800-53 R3 AC-20 (1) AC-20 (1)
NIST SP 800-53 R3 AC-20 (2) AC-20 (2)
NIST SP 800-53 R3 AT-1 AT-1 99.31(a)(1)(ii)

NIST SP 800-53 R3 AC-11 AC-1

NIST SP 800-53 R3 MP-1 AC-2 (5)
NIST SP 800-53 R3 MP-2 AC-11
NIST SP 800-53 R3 MP-2 (1) AC-12
NIST SP 800-53 R3 MP-4 (1) MP-3
MP-4
NIST SP 800-53 R3 AU-9 AC-17 (9)
NIST SP 800-53 R3 AU-9 (2) AU-9
AU-9 (2)
AU-9 (4)
NIST SP 800-53 R3 AC-7 AC-2 (9)
NIST SP 800-53 R3 AC-10 AC-2 (10)
NIST SP 800-53 R3 AC-14 AC-7
NIST SP 800-53 R3 IA-1 AC-10
AC-14
AC-17 (9)
CM-7 (5)
IA-1
IA-2 (11)
RA-5 (8)

NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 MA-3 CM-7
NIST SP 800-53 R3 MA-3 (1) CM-7 (1)
NIST SP 800-53 R3 MA-3 (2) CM-7 (5)
NIST SP 800-53 R3 MA-3 (3) MA-3
NIST SP 800-53 R3 MA-4 MA-3 (1)
NIST SP 800-53 R3 MA-4 (1) MA-3 (2)
MA-3 (3)
NIST SP 800-53 R3 MA-4 (2) MA-4
NIST SP 800-53 R3 MA-5 MA-4 (2)
MA-5
IA-2 (5)
NIST SP 800-53 R3 AC-1 AC-1 99.31(a)(1)(ii)
NIST SP 800-53 R3 AC-2 AC-2 (1)
NIST SP 800-53 R3 AC-2 (1) AC-2 (2)
NIST SP 800-53 R3 AC-2 (2) AC-2 (3)
NIST SP 800-53 R3 AC-2 (3) AC-2 (4)
NIST SP 800-53 R3 AC-2 (4) AC-2 (7)
NIST SP 800-53 R3 AC-2 (7) AC-2 (9)
NIST SP 800-53 R3 AC-6 (1) AC-6 (1)
NIST SP 800-53 R3 AC-6 (2) AC-6 (2)
NIST SP 800-53 R3 AU-1 AC-6 (9)
NIST SP 800-53 R3 AU-2 AC-6 (10)
NIST SP 800-53 R3 AU-6 (1) AU-2
NIST SP 800-53 R3 AU-6 (3) AU-6
NIST SP 800-53 R3 SI-4 AU-6 (1)
NIST SP 800-53 R3 SI-4 (2) AU-6 (3)
NIST SP 800-53 R3 SI-4 (4) SI-4
NIST SP 800-53 R3 SI-4 (5) SI-4 (2)
NIST SP 800-53 R3 SI-4 (6) SI-4 (4)
SI-4 (5)
NIST SP 800-53 R3 CM-5 AC-6 (5)

NIST SP 800-53 R3 CM-5 (1) CM-5
NIST SP 800-53 R3 CM-5 (5) CM-5 (1)
CM-5 (5)

NIST SP 800-53 R3 AT-1 AC-2 (5)
NIST SP 800-53 R3 AU-1 AC-21
NIST SP 800-53 R3 CA-1 AT-1
NIST SP 800-53 R3 CM-1 AU-1
NIST SP 800-53 R3 CP-1 CA-1
NIST SP 800-53 R3 IA-1 CM-1
NIST SP 800-53 R3 IA-4 CP-1
NIST SP 800-53 R3 IA-5 (1) IA-4
NIST SP 800-53 R3 IA-5 (2) IA-5
NIST SP 800-53 R3 IA-5 (3) IA-5 (1)
NIST SP 800-53 R3 IA-5 (6) IA-5 (2)
NIST SP 800-53 R3 IA-5 (7) IA-5 (3)
NIST SP 800-53 R3 IA-8 IA-5 (6)
NIST SP 800-53 R3 IR-1 IA-5 (7)
NIST SP 800-53 R3 MA-1 IA-8
NIST SP 800-53 R3 MP-1 IR-1
NIST SP 800-53 R3 PE-1 MA-1
NIST SP 800-53 R3 PL-1 MP-1
NIST SP 800-53 R3 PS-1 PE-1
NIST SP 800-53 R3 RA-1 PL-1
NIST SP 800-53 R3 SA-1 PS-1
NIST SP 800-53 R3 SC-1 RA-1
NIST SP 800-53 R3 SI-1 RA-5
(8)
SA-1
SC-1
SI-1
-

NIST SP 800-53 R3 AC-3 (3) AC-2 (9)
NIST SP 800-53 R3 AC-6 (1) AC-6
NIST SP 800-53 R3 AC-6 (2) AC-6 (1)
NIST SP 800-53 R3 IA-2 AC-6 (2)
NIST SP 800-53 R3 IA-2 (1) IA-2
NIST SP 800-53 R3 IA-2 (2) IA-2 (1)
NIST SP 800-53 R3 IA-2 (3) IA-2 (2)
NIST SP 800-53 R3 IA-2 (8) IA-2 (3)
NIST SP 800-53 R3 IA-4 IA-2 (8)
NIST SP 800-53 R3 IA-4 (4) IA-4
NIST SP 800-53 R3 IA-5 IA-4 (4)
NIST SP 800-53 R3 IA-5 (1) IA-5
NIST SP 800-53 R3 IA-5 (2) IA-5 (1)
NIST SP 800-53 R3 IA-5 (3) IA-5 (2)
NIST SP 800-53 R3 IA-5 (6) IA-5 (3)
NIST SP 800-53 R3 IA-5 (7) IA-5 (6)
NIST SP 800-53 R3 IA-8 IA-5 (7)
NIST SP 800-53 R3 MA-5 IA-8
NIST SP 800-53 R3 PS-6 MA-5
NIST SP 800-53 R3 SA-7 PS-3 (3)
NIST SP 800-53 R3 SC-30 PS-6
NIST SP 800-53 R3 AC-2 AC-2 (1) 99.31(a)(1)(ii)

NIST SP 800-53 R3 AC-2 (1) AC-2 (2)
NIST SP 800-53 R3 AC-2 (2) AC-2 (3)
NIST SP 800-53 R3 AC-2 (3) AC-2 (4)
NIST SP 800-53 R3 AC-2 (4) AC-2 (7)
NIST SP 800-53 R3 AC-2 (7) AC-2 (9)
NIST SP 800-53 R3 AU-6 AC-6 (9)
NIST SP 800-53 R3 AU-6 (1) AU-6
NIST SP 800-53 R3 AU-6 (3) AU-6 (1)
NIST SP 800-53 R3 PS-6 AU-6 (3)
NIST SP 800-53 R3 PS-7 CM-7 (2)
PS-3 (3)
PS-6
PS-7
NIST SP 800-53 R3 AC-2 AC-2 (1) 99.31(a)(1)(ii)
NIST SP 800-53 R3 AC-2 (1) AC-2 (2)
NIST SP 800-53 R3 AC-2 (2) AC-2 (3)
NIST SP 800-53 R3 AC-2 (3) AC-2 (4)
NIST SP 800-53 R3 AC-2 (4) AC-2 (7)
NIST SP 800-53 R3 AC-2 (7) AC-2 (10)
NIST SP 800-53 R3 PS-4 AC-6 (9)
NIST SP 800-53 R3 SC-30 PS-5
NIST SP 800-53 R3 AC-1 AC-1 99.3

NIST SP 800-53 R3 AC-2 AC-2 99.31(a)(1)(ii)
NIST SP 800-53 R3 AC-3 AC-2 (10)
NIST SP 800-53 R3 AC-11 AC-3
NIST SP 800-53 R3 AC-11 (1) AC-11
NIST SP 800-53 R3 AU-2 AC-11 (1)
NIST SP 800-53 R3 AU-2 (3) AU-2
NIST SP 800-53 R3 AU-2 (4) AU-2 (3)
NIST SP 800-53 R3 AU-11 AU-11
NIST SP 800-53 R3 IA-2 (1) IA-2 (1)
NIST SP 800-53 R3 IA-2 (2) IA-2 (2)
NIST SP 800-53 R3 IA-2 (3) IA-2 (3)
NIST SP 800-53 R3 IA-2 (8) IA-2 (8)
NIST SP 800-53 R3 IA-5 (1) IA-5 (1)
NIST SP 800-53 R3 IA-5 (2) IA-5 (2)
NIST SP 800-53 R3 IA-5 (3) IA-5 (3)
NIST SP 800-53 R3 IA-5 (6) IA-5 (6)
NIST SP 800-53 R3 IA-5 (7) IA-5 (7)
NIST SP 800-53 R3 SC-10 SC-10

NIST SP 800-53 R3 AC-6 (1) AC-6 (1)
NIST SP 800-53 R3 AC-6 (2) AC-6 (2)
NIST SP 800-53 R3 CM-7 (1) CM-7 (1)
CM-7 (2)
CM-7 (5)
NIST SP 800-53 R3 AU-1 AC-6 (10)
NIST SP 800-53 R3 AU-2 (3) AU-2
NIST SP 800-53 R3 AU-2 (4) AU-2 (3)
NIST SP 800-53 R3 AU-3 (1) AU-3 (1)
NIST SP 800-53 R3 AU-6 (1) AU-6 (1)
NIST SP 800-53 R3 AU-6 (3) AU-6 (3)
NIST SP 800-53 R3 AU-7 (1) AU-7 (1)
NIST SP 800-53 R3 AU-11 AU-9 (4)
NIST SP 800-53 R3 AU-12 AU-11
NIST SP 800-53 R3 PE-2 AU-12
NIST SP 800-53 R3 SI-4 PE-3
NIST SP 800-53 R3 SI-4 (2) RA-5 (8)
NIST SP 800-53 R3 SI-4 (4) SC-18
NIST SP 800-53 R3 SI-4 (5) SI-4
NIST SP 800-53 R3 SI-4 (6) SI-4 (1)
NIST SP 800-53 R3 SC-18 SI-4 (2)
SI-4 (4)
SI-4 (5)
SI-7 (7)
SA-10 (1)

NIST SP 800-53 R3 AU-8 AU-7 (1)
NIST SP 800-53 R3 AU-8 (1) AU-8

NIST SP 800-53 R3 SA-4 (1) SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
-
NIST SP 800-53 R3 CM-7 AC-4 (21)
NIST SP 800-53 R3 CM-7 (1) CA-3
NIST SP 800-53 R3 SC-7 CA-3 (3)
NIST SP 800-53 R3 SC-7 (1) CA-3 (5)
NIST SP 800-53 R3 SC-7 (2) CA-9
NIST SP 800-53 R3 SC-7 (3) CM-7
NIST SP 800-53 R3 SC-7 (4) CM-7 (1)
NIST SP 800-53 R3 SC-7 (5) CM-7 (2)
NIST SP 800-53 R3 SC-7 (7) SC-7
NIST SP 800-53 R3 SC-7 (8) SC-7 (3)
NIST SP 800-53 R3 SC-7 (12) SC-7 (4)
NIST SP 800-53 R3 SC-7 (13) SC-7 (5)
NIST SP 800-53 R3 SC-7 (18) SC-7 (7)
NIST SP 800-53 R3 SC-20 (1) SC-7 (8)
NIST SP 800-53 R3 SC-21 SC-7 (12)
NIST SP 800-53 R3 SC-22 SC-7 (13)
NIST SP 800-53 R3 SC-30 SC-7 (18)
NIST SP 800-53 R3 SC-32 SC-20
SC-21
SC-22
NIST SP 800-53 R3 SC-2 AC-4 (21)

SC-2

NIST SP 800-53 R3 SC-2 CA-3
NIST SP 800-53 R3 SC-7 CA-3 (3)
NIST SP 800-53 R3 SC-7 (1) CA-3 (5)
NIST SP 800-53 R3 SC-7 (2) CA-9
NIST SP 800-53 R3 SC-7 (3) SC-2
NIST SP 800-53 R3 SC-7 (4) SC-7
NIST SP 800-53 R3 SC-7 (5) SC-7 (3)
NIST SP 800-53 R3 SC-7 (7) SC-7 (4)
NIST SP 800-53 R3 SC-7 (8) SC-7 (5)
NIST SP 800-53 R3 SC-7 (12) SC-7 (7)
NIST SP 800-53 R3 SC-7 (13) SC-7 (8)
NIST SP 800-53 R3 SC-7 (18) SC-7 (12)
SC-7 (13)
SC-7 (18)
SC-39
CA-3
AC-6 (5)

NIST SP 800-53 R3 AC-18 AC-18
NIST SP 800-53 R3 AC-18 (1) AC-18 (1)
NIST SP 800-53 R3 AC-18 (2) CA-3
NIST SP 800-53 R3 CM-6 CA-3 (3)
NIST SP 800-53 R3 CM-6 (1) CA-3 (5)
NIST SP 800-53 R3 CM-6 (3) CM-6
NIST SP 800-53 R3 PE-4 CM-6 (1)
NIST SP 800-53 R3 SC-7 PE-4
NIST SP 800-53 R3 SC-7 (1) RA-5 (8)
NIST SP 800-53 R3 SC-7 (2) SC-7
NIST SP 800-53 R3 SC-7 (3) SC-7 (3)
NIST SP 800-53 R3 SC-7 (4) SC-7 (4)
NIST SP 800-53 R3 SC-7 (5) SC-7 (5)
NIST SP 800-53 R3 SC-7 (7) SC-7 (7)
NIST SP 800-53 R3 SC-7 (8) SC-7 (8)
NIST SP 800-53 R3 SC-7 (12) SC-7 (12)
NIST SP 800-53 R3 SC-7 (13) SC-7 (13)
NIST SP 800-53 R3 SC-7 (18) SC-7 (18)
SI-7
CA-3
CA-3 (3)
CA-3 (5)
CA-9
RA-5 (8)
SI-4 (1)
MP-7
MP-7 (1)
AC-19 (5)
NIST SP 800-53 R3 IR-6 (1) IR-6 (1)
NIST SP 800-53 R3 SI-5 IR-9
SI-5
IR-9 (1)

NIST SP 800-53 R3 IR-4 (1) IR-4 (1)
NIST SP 800-53 R3 IR-7 (1) IR-7 (1)
NIST SP 800-53 R3 IR-7 (2) IR-7 (2)
IR-9
AC-6(1)
(10) 99.31(a)(1)(i)
IR-2 (3) 34 CFR 99.32(a)
NIST SP 800-53 R3 IR-6 (1) IR-6
NIST SP 800-53 R3 IR-7 IR-6 (1)
NIST SP 800-53 R3 IR-7 (1) IR-7
NIST SP 800-53 R3 IR-7 (2) IR-7 (1)
NIST SP 800-53 R3 SI-4 IR-7 (2)
NIST SP 800-53 R3 SI-4 (2) IR-9
NIST SP 800-53 R3 SI-4 (4) IR-9 (1)
NIST SP 800-53 R3 SI-4 (5) SI-4
NIST SP 800-53 R3 SI-4 (6) SI-4 (2)
NIST SP 800-53 R3 SI-5 SI-4 (4)
SI-4 (5)
SI-5
NIST SP 800-53 R3 AU-6 (1) AU-6 (1)
NIST SP 800-53 R3 AU-6 (3) AU-6 (3)
NIST SP 800-53 R3 AU-7 (1) AU-7 (1)
NIST SP 800-53 R3 AU-9 (2) AU-9 (2)
NIST SP 800-53 R3 AU-10 AU-11
NIST SP 800-53 R3 AU-10 (5) IR-5
NIST SP 800-53 R3 AU-11 IR-7
NIST SP 800-53 R3 IR-5 IR-7 (1)
NIST SP 800-53 R3 IR-7 IR-7 (2)
NIST SP 800-53 R3 IR-7 (1) IR-8
NIST SP 800-53 R3 IR-7 (2) IR-9
NIST SP 800-53 R3 IR-8 IR-9 (3)
NIST SP 800-53 R3 MP-5 (2) MP-5(4)
NIST SP 800-53 R3 MP-5 (4) SI-7

NIST SP 800-53 R3 IR-4 (1) IR-4 (1)
IR-9
IR-9 (3)
SI-7 (7)

NIST SP 800-53 R3 CP-6 (1) CP-6 (1)
NIST SP 800-53 R3 CP-6 (3) CP-6(3)
NIST SP 800-53 R3 CP-7 (1) CP-7(1)
NIST SP 800-53 R3 CP-7 (2) CP-7(2)
NIST SP 800-53 R3 CP-7 (3) CP-7(3)
NIST SP 800-53 R3 CP-7 (5) CP-8
NIST SP 800-53 R3 CP-8 CP-8(1)
NIST SP 800-53 R3 CP-8 (1) CP-8(2)
NIST SP 800-53 R3 CP-8 (2) SA-4(9)
NIST SP 800-53 R3 SA-9 (1) SA-9(1)
NIST SP 800-53 R3 SC-30 SA-9(2)
NIST SP 800-53 R3 MP-5 (2) MP-5 (4)
NIST SP 800-53 R3 MP-5 (4) PS-7
NIST SP 800-53 R3 PS-7 SA-9
NIST SP 800-53 R3 SA-6 SA-9(1)
NIST SP 800-53 R3 SA-7 S-9(4)
NIST SP 800-53 R3 SA-9 SA-9(5)
NIST SP 800-53 R3 SA-9 (1) SI-7
NIST SP 800-53 R3 SA-9 (1) SA-9(1)
NIST SP 800-53 R3 SA-12 SC-7
NIST SP 800-53 R3 SC-7 SC-7(3)
NIST SP 800-53 R3 SC-7 (1) SC-7(4)
NIST SP 800-53 R3 SC-7 (2) SC-7(5)
NIST SP 800-53 R3 SC-7 (3) SC-7(7)
NIST SP 800-53 R3 SC-7 (4) SC-7(8)
NIST SP 800-53 R3 SC-7 (5) SC-7(12)
NIST SP 800-53 R3 SC-7 (7) SC-7(13)
NIST SP 800-53 R3 SC-7 (8) SC-7(18)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 SC-5 AC-6(10)

NIST SP 800-53 R3 SI-3 RA-5(5)
NIST SP 800-53 R3 SI-3 (1) RA-5(8)
NIST SP 800-53 R3 SI-3 (2) SC-5
NIST SP 800-53 R3 SI-3 (3) SI-3
NIST SP 800-53 R3 SI-5 SI-3(1)
NIST SP 800-53 R3 SI-7 SI-3(2)
NIST SP 800-53 R3 SI-7 (1) SI-5
SI-7(1)
NIST SP 800-53 R3 CM-3 SI-8
CA-8
NIST SP 800-53 R3 CM-3 (2) CM-3
NIST SP 800-53 R3 RA-5 (1) RA-5(1)
NIST SP 800-53 R3 RA-5 (2) RA-5(2)
NIST SP 800-53 R3 RA-5 (3) RA-5(3)
NIST SP 800-53 R3 RA-5 (6) RA-5(5)
NIST SP 800-53 R3 RA-5 (9) RA-5(6)
NIST SP 800-53 R3 SC-30 SA-11(2)
NIST SP 800-53 R3 SI-2 (2) SI-2(2)
NIST SP 800-53 R3 SI-4 SI-2(3)
SI-5
SI-7(7)
CA-9
RA-5(5)
GAPP (Aug 2009) HIPAA / HITECH Act ISO/IEC 27001-2005
1.2.6 45 CFR 164.312(e)(2)(i) A.11.5.6

A.11.6.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.5.2
A.12.5.4
A.12.5.5
A.12.6.1
A.15.2.1
1.2.2 A.6.2.1
1.2.6 A.6.2.2
6.2.1 A.11.1.1
6.2.2
1.2.6 45 CFR 164.312 (c)(1) A.10.9.2
45 CFR 164.312 (c)(2) A.10.9.3
45 CFR 164.312(e)(2)(i) A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.6.1
A.15.2.1
1.1.0 A.10.8.1
1.2.2 A.10.8.2
1.2.6 A.11.1.1
4.2.3 A.11.6.1
5.2.1 A.11.4.6
7.1.2 A.12.3.1
7.2.1 A.12.5.4
7.2.2 A.15.1.4
7.2.3
7.2.4
8.2.1
8.2.2
8.2.3
8.2.5
9.2.1
10.2.5 45 CFR 164.312(b) Clause 4.2.3 e)

Clause 4.2.3b
Clause 5.1 g
Clause 6
A.15.3.1
1.2.5 45 CFR 164.308 (a)(8) Clause 4.2.3e

1.2.7 45 CFR 164.308(a)(1)(ii)(D) Clause 5.1 g
4.2.1 Clause 5.2.1 d)
8.2.7 Clause 6
10.2.3 A.6.1.8
10.2.5
1.2.2 ISO/IEC 27001:2005
1.2.4 Clause 4.2.1 b) 2)
1.2.6 Clause 4.2.1 c) 1)
1.2.11 Clause 4.2.1 g)
3.2.4 Clause 4.2.3 d) 6)
5.2.1 Clause 4.3.3
Clause 5.2.1 a - f
Clause 7.3 c) 4)
A.7.2.1
A.15.1.1
A.15.1.3
A.15.1.4
A.15.1.6
45 CFR 164.308 (a)(7)(i) Clause 5.1

45 CFR 164.308 (a)(7)(ii)(B) A.6.1.2
45 CFR 164.308 (a)(7)(ii)(C) A.14.1.3
45 CFR 164.308 (a)(7)(ii)(E) A.14.1.4
45 CFR 164.310 (a)(2)(i)
45 CFR 164.312 (a)(2)(ii)
45 CFR 164.308 (a)(7)(ii)(D) A.14.1.5
A.9.2.2
A.9.2.3
1.2.6 Clause 4.3.3

A.10.7.4
8.2.4 45 CFR 164.308 (a)(7)(i) A.9.1.4

45 CFR 164.310(a)(2)(ii) A.9.2.1
45 CFR 164.310 (c) A.9.2.1
5.2.3 45 CFR 164.310 (a)(2)(iv) A.9.2.4

8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
A.9.2.2
A.9.2.3
A 9.2.4
45 CFR 164.308 (a)(7)(ii)(E) ISO/IEC 27001:2005

A.14.1.2
A 14.1.4
8.2.1 Clause 5.1
A 8.1.1
A.8.2.1
A 8.2.2
A.10.1.1
5.1.0 45 CFR 164.308 (a)(7)(ii)(A) Clause 4.3.3

5.1.1 45 CFR 164.310 (d)(2)(iv) A.10.5.1
5.2.2 45 CFR 164.308(a)(7)(ii)(D) A.10.7.3
8.2.6 45 CFR 164.316(b)(2)(i) (New)
1.2.6 A.6.1.4
A.6.2.1
A.12.1.1
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.5
A.15.1.3
A.15.1.4
A.6.1.8
A.6.2.1
A.6.2.3
A.10.1.4
A.10.2.1
A.10.2.2
A.10.2.3
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
9.1.0 A.6.1.3
9.1.1 A.10.1.1
9.2.1 A.10.1.4
9.2.2 A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
3.2.4 A.10.1.3
8.2.2 A.10.4.1
A.11.5.4
A.11.6.1
A.12.4.1
A.12.5.3
1.2.6 45 CFR 164.308 (a)(5)(ii)(C) A.10.1.4
45 CFR 164.312 (b) A.12.5.1
A.12.5.2
1.2.3 A.7.2.1
1.2.6
4.1.2
8.2.1
8.2.5
8.2.6
3.2.4 45 CFR 164.312(e)(1) A.7.2.1
4.2.3 45 CFR 164.312(e)(2)(i) A.10.6.1
7.1.2 A.10.6.2
7.2.1 A.10.9.1
7.2.2 A.10.9.2
8.2.1 A.15.1.4
8.2.5
1.1.2 A.7.2.2
5.1.0 A.10.7.1
7.1.2 A.10.7.3
8.1.0 A.10.8.1
8.2.5
8.2.6
1.2.6 45 CFR 164.308(a)(4)(ii)(B) A.7.1.3

A.10.1.4
A.12.4.2
A.12.5.1
6.2.1 45 CFR 164.308 (a)(2) A.6.1.3

A.7.1.2
A.15.1.4
5.1.0 45 CFR 164.310 (d)(2)(i) A.9.2.6
5.2.3 45 CFR 164.310 (d)(2)(ii) A.10.7.2
8.2.3 A.9.1.1
A.9.1.2
A.11.4.3
45 CFR 164.310 (c ) A.9.2.5

45 CFR 164.310 (d)(1) A.9.2.6
45 CFR 164.310 (d)(2)(i)
45 CFR 164.310 (d)(2)(iii) A.7.1.1

A.7.1.2
8.2.1 45 CFR 164.310(a)(1) A.9.1.1
8.2.2 45 CFR 164.310(a)(2)(ii) A.9.1.2
8.2.3 45 CFR 164.310(b)
45 CFR 164.310 ( c) (New)
8.2.3 A.9.1.6
8.2.5 45 CFR 164.310 (d)(1) A.9.2.7

8.2.6 A.10.1.2
8.2.3 A.9.1.1
8.1.1 45 CFR 164.312 (a)(2)(iv) Clause 4.3.3

8.2.1 45 CFR 164.312(e)(1) A.10.7.3
8.2.5 A.12.3.2
A.15.1.6
8.1.1 45 CFR 164.312 (a)(2)(iv) A.10.6.1
8.2.1 45 CFR 164.312 (e)(1) A.10.8.3
8.2.5 45 CFR 164.312 (e)(2)(ii) A.10.8.4
A.10.9.2
A.10.9.3
A.12.3.1
A.15.1.3
A.15.1.4
1.2.6 A.12.1.1
8.2.1 A.15.2.2
8.2.7
1.2.4 45 CFR 164.308(a)(1)(ii)(A) Clause 4.2.1 c) & g)

8.2.1 45 CFR 164.308(a)(8) Clause 4.2.3 d)
Clause 4.3.1 & 4.3.3
Clause 7.2 & 7.3
A.7.2
A.15.1.1
A.15.1.3
A.15.1.4
1.1.2 Clause 5.2.2
8.2.1 A.8.2.1
A.8.2.2
A 11.2.4
A.15.2.1
8.2.1 45 CFR 164.308(a)(1)(i) Clause 4.2

45 CFR 164.308(a)(1)(ii)(B) Clause 5
45 CFR 164.316(b)(1)(i) A.6.1.1
45 CFR 164.308(a)(3)(i) (New) A.6.1.2
45 CFR 164.306(a) (New) A.6.1.3
A.6.1.4
A.6.1.5
A.6.1.6
A.6.1.7
A.6.1.8
8.2.1 45 CFR 164.316 (b)(2)(ii) Clause 5

45 CFR 164.316 (b)(2)(iii) A.6.1.1
8.1.0 45 CFR 164.316 (a) Clause 4.2.1

8.1.1 45 CFR 164.316 (b)(1)(i) Clause 5
45 CFR 164.316 (b)(2)(ii) A.5.1.1
45 CFR 164.308(a)(2) A.8.2.2
10.2.4 45 CFR 164.308 (a)(1)(ii)(C) A.8.2.3
Clause 4.2.3
Clause 4.2.4
Clause 4.3.1
Clause 5
Clause 7
A.5.1.2
A.10.1.2
A.10.2.3
A.14.1.2
A.15.2.1
A.15.2.2
1.2.1 45 CFR 164.316 (b)(2)(iii) Clause 4.2.3 f)

8.2.7 45 CFE 164.306€ A.5.1.2
10.2.3
1.2.4 45 CFR 164.308 (a)(1)(ii)(A) Clause 4.2.1 c) through g)
1.2.5 Clause 4.2.3 d)
Clause 5.1 f)
Clause 7.2 & 7.3
A.6.2.1
A.12.5.2
A.12.6.1
A.14.1.2
A.15.1.1
A.15.2.1
A.15.2.2
1.2.4 45 CFR 164.308 (a)(8) Clause 4.2.1 c) through g)

45 CFR 164.308(a)(1)(ii)(B) Clause 4.2.2 b)
Clause 5.1 f)
Clause 7.2 & 7.3
A.6.2.1
A.12.6.1
A.14.1.2
A.15.2.1
A.15.2.2
5.2.3 45 CFR 164.308 (a)(3)(ii)(C) A.7.1.1

7.2.2 A.7.1.2
8.2.1 A.8.3.2
8.2.6
1.2.9 A.8.1.2
1.2.9 45 CFR 164.310(a)(1) A.6.1.5

8.2.6 45 CFR 164.308(a)(4)(i) A.8.1.3
8.2.2 45 CFR 164.308 (a)(3)(ii)(C) A.8.3.1
10.2.5
1.2.6 45 CFR 164.310 (d)(1) A.7.2.1

3.2.4 A.10.7.1
8.2.6 A.10.7.2
A.10.8.3
A.11.7.1
A.11.7.2
A.15.1.4
1.2.5 ISO/IEC 27001:2005

Annex A.6.1.5
1.2.9 Clause 5.1 c)

8.2.1 A.6.1.2
A.6.1.3
A.8.1.1
8.1.0 45 CFR 164.310 (b) A.7.1.3

1.2.10 45 CFR 164.308 (a)(5)(i) Clause 5.2.2
8.2.1 45 CFR 164.308 (a)(5)(ii)(A) A.8.2.2
1.2.10 45 CFR 164.308 (a)(5)(ii)(D) Clause 5.2.2

8.2.1 A.8.2.2
A.11.3.1
A.11.3.2
8.2.3 Clause 5.2.2

A.8.2.2
A.9.1.5
A.11.3.1
A.11.3.2
A.11.3.3
8.2.1 A.15.3.2
8.1.0 45 CFR 164.308 (a)(3)(i) A.11.1.1
45 CFR 164.312 (a)(1) A.11.2.1
45 CFR 164.312 (a)(2)(ii) A.11.2.4
45 CFR 164.308(a)(4)(ii)(B) A.11.4.1
45 CFR 164.308(a)(4)(ii)(c ) A.11.5.2
A.11.6.1
A.10.6.1
A.11.1.1
A.11.4.4
A.11.5.4
8.2.2 45 CFR 164.308 (a)(1)(ii)(D) A.10.1.3
45 CFR 164.308 (a)(3)(ii)(A)
45 CFR 164.308(a)(4)(ii)(A)
45 CFR 164.308 (a)(5)(ii)(C)
45 CFR 164.312 (b)
1.2.6 Clause 4.3.3

6.2.1 A.12.4.3
A.15.1.3
7.1.1 A.6.2.1
7.1.2 A.8.3.3
7.2.1 A.11.1.1
7.2.2 A.11.2.1
7.2.3 A.11.2.4
7.2.4
8.2.2 45 CFR 164.308 (a)(3)(i) A.11.2.1
45 CFR 164.308 (a)(3)(ii)(A) A.11.2.2
45 CFR 164.308 (a)(4)(i) A.11.4.1
45 CFR 164.308 (a)(4)(ii)(B) A 11.4.2
45 CFR 164.308 (a)(4)(ii)(C) A.11.6.1
45 CFR 164.312 (a)(1)
8.2.1 45 CFR 164.308 (a)(3)(ii)(B) A.11.2.4

8.2.7 45 CFR 164.308 (a)(4)(ii)(C)
8.2.1 45 CFR 164.308(a)(3)(ii)(C) ISO/IEC 27001:2005
A.8.3.3
A.11.1.1
A.11.2.1
A.11.2.2
45 CFR 164.308(a)(5)(ii)(c) A.8.3.3

45 CFR 164.308 (a)(5)(ii)(D) A.11.1.1
45 CFR 164.312 (a)(2)(i) A.11.2.1
45 CFR 164.312 (a)(2)(iii) A.11.2.3
45 CFR 164.312 (d) A.11.2.4
A.11.5.5
A.11.4.1
A 11.4.4
A.11.5.4
8.2.1 45 CFR 164.308 (a)(1)(ii)(D) A.10.10.1
8.2.2 45 CFR 164.312 (b) A.10.10.2
45 CFR 164.308(a)(5)(ii)© A.10.10.3
A.10.10.4
A.10.10.5
A.11.2.2
A.11.5.4
A.11.6.1
A.13.1.1
A.13.2.3
A.15.2.2
A.15.1.3
A.10.10.1
A.10.10.6
1.2.4 A.10.3.1
8.2.5 A.10.6.1
A.10.6.2
A.10.9.1
A.10.10.2
A.11.4.1
A.11.4.5
A.11.4.6
A.11.4.7
A.15.1.4
1.2.6 A.10.1.4
A.10.3.2
A.11.1.1
A.12.5.1
A.12.5.2
A.12.5.3
45 CFR 164.308 (a)(4)(ii)(A) A.11.4.5

A.11.6.1
A.11.6.2
A.15.1.4
8.2.5 45 CFR 164.312 (e)(1)(2)(ii) A.7.1.1
45 CFR 164.308(a)(5)(ii)(D) A.7.1.2
45 CFR 164.312(e)(1) A.7.1.3
45 CFR 164.312(e)(2)(ii) A.9.2.1
A.9.2.4
A.10.6.1
A.10.6.2
A.10.8.1
A.10.8.3
A.10.8.5
A.10.10.2
A.11.2.1
A.11.4.3
A.11.4.5
A.11.4.6
A.11.4.7
A.12.3.1
A.12.3.2
1.2.7 A.6.1.6
10.1.1 A.6.1.7
10.2.4
1.2.4 45 CFR 164.308 (a)(1)(i) Clause 4.3.3

1.2.7 45 CFR 164.308 (a)(6)(i) A.13.1.1
7.1.2 A.13.2.1
7.2.2
7.2.4
10.2.1
10.2.4
1.2.7 45 CFR 164.312 (a)(6)(ii) Clause 4.3.3

1.2.10 16 CFR 318.3 (a) Clause 5.2.2
7.1.2 16 CFR 318.5 (a) A.6.1.3
7.2.2 45 CFR 160.410 (a)(1) A.8.2.1
7.2.4 A.8.2.2
10.2.4 A.13.1.1
A.13.1.2
A.13.2.1
1.2.7 45 CFR 164.308 (a)(6)(ii) Clause 4.3.3
Clause 5.2.2
A.8.2.2
A.8.2.3
A.13.2.3
A.15.1.3
1.2.7 45 CFR 164.308 (a)(1)(ii)(D) A.13.2.2

1.2.10
8.2.2 A.6.2.3
8.2.5 A.10.6.2
1.2.5 45 CFR 164.308 (a)(4)(ii)(A) A.6.2.3
45 CFR 164.308 (b)(1) A10.2.1
45 CFR 164.308 (b)(2)(i) A.10.8.2
45 CFR 164.308 (b)(2)(ii) A.11.4.6
45 CFR 164.308 (b)(2)(iii) A.11.6.1
45 CFR 164.308 (b)(3) A.12.3.1
45 CFR 164.308 (b)(4) A.12.5.4
45 CFR 164.312(e)(2)(i)
45 CFR 164.312 (c)(1)
45 CFR 164.312(e)(2)(ii)
45 CFR 164.314 (a)(1)(i)
45 CFR 164.314 (a)(1)(ii)(A)
45 CFR 164.314 (a)(2)(i)
45 CFR 164.314 (a)(2)(i)(A)
45 CFR 164.314 (a)(2)(i)(B)
45 CFR 164.314 (a)(2)(i)(C)
45 CFR 164.314 (a)(2)(i)(D)
45 CFR 164.314 (a)(2)(ii)(A)
45 CFR 164.314 (a)(2)(ii)(A)(1)
45 CFR 164.314 (a)(2)(ii)(A)(2)
45 CFR 164.314 (a)(2)(ii)(B)
45 CFR 164.314 (a)(2)(ii)(C)
45 CFR 164.314 (b)(1)
45 CFR 164.314 (b)(2)
45 CFR 164.314 (b)(2)(i)
45 CFR 164.314 (b)(2)(ii)
45 CFR 164.314 (b)(2)(iii)
45 CFR 164.314 (b)(2)(iv)
1.2.11 45 CFR 164.308(b)(1) A.6.2.3
4.2.3 45 CFR 164.308 (b)(4) A.10.2.1
7.2.4 A.10.2.2
10.2.3 A.10.6.2
10.2.4
8.2.2 45 CFR 164.308 (a)(5)(ii)(B) A.10.4.1
1.2.6 45 CFR 164.308 (a)(1)(i)(ii)(A) A.12.5.1

8.2.7 45 CFR 164.308 (a)(1)(i)(ii)(B) A.12.5.2
45 CFR 164.308 (a)(5)(i)(ii)(B) A.12.6.1
A.10.4.2
A.12.2.2
ISO/IEC 27001-2013 ITAR Jericho Forum
A9.4.2 Commandment #1
A9.4.1, Commandment #2
8.1*Partial, A14.2.3, Commandment #4
8.1*partial, A.14.2.7 Commandment #5
A18.2.2
A9.1.1. Commandment #6
Commandment #7
Commandment #8
A9.4.1,
A10.1.1
A18.1.4
A13.2.1, All
A13.2.2,
A9.1.1,
A9.4.1,
A10.1.1
A18.1.4
Clauses Commandment #1
4.3(a), Commandment #2
4.3(b), Commandment #3
5.1(e),
5.1(f),
6.2(e),
9.1,
9.1(e),
9.2,
9.3(f),
A12.7.1
4.3(a), Commandment #2
5.1(e),
5.1(f),
9.1,
9.2,
9.3(f),
A18.2.1
4.4, Commandment #3
5.2(c),
5.3(ab),
6.1.2,
6.1.3,
6.1.3(b),
7.5.3(b),
7.5.3(d),
8.1,
8.3
9.2(g),
9.3,
9.3(b),
9.3(f),
10.2,
A.8.2.1,
A.18.1.1,
A.18.1.3,
A.18.1.4,
A.18.1.5
Clause 5.1(h) Commandment #1

A.17.1.2 Commandment #2
Commandment #2
Commandment #3
Commandment #3
Commandment #4
Commandment #9
Commandment #11
Clause 9.2(g) Commandment #1

Commandment #2
Commandment #4
Commandment #5
Commandment #11
Commandment #3
Commandment #2
Commandment #3
Commandment #5
Commandment #11
A.11.2.2, Commandment #1
A.11.2.3, Commandment #2
Commandment #3
Clause 5.1(h) Commandment #1
Clauses EAR 15 § Commandment #11

9.2(g) 762.6 Period
7.5.3(b) of Retention
5.2 (c) EAR 15 CFR
7.5.3(d) § 786.2
5.3(a) Recordkeepi
5.3(b) ng
8.1
8.3
A.12.3.1
A.8.2.3
A.9.4.5
8.1* (partial) A.14.2.7
A.18.1.3
A.18.1.4
8.1* (partial)
8.1* (partial) A.15.2.1
8.1* (partial) A.15.2.2
A.14.2.9
A.14.1.1
A.12.5.1
A.14.3.1
A.9.4.5
8.1* (partial) A.14.2.2
8.1* (partial) A.14.2.3
8.1* (partial) A.14.2.4
8.1* (partial) A.14.2.7
A.12.6.1
A.16.13
A.18.2.2
A.18.2.3
A.14.2.9
A.14.1.1
A.12.5.1
A.14.3.1
A.9.4.5
8.1* partial A.14.2.2
8.1* partial A.14.2.3
8.1* partial A.14.2.4
A.12.6.1
A.16.1.3
A.18.2.2
A.18.2.3
8.1* (partial) A.14.2.4
8.1* (partial) A.14.2.2 Commandment #2
Commandment #11
Clause
4.2
5.2,
7.5,
8.1
A.18.1.4
A.13.2.1
8.1* (partial) A.14.2.2.
A.18.1.4
A.8.3.2
Annex A.8
Commandment #3
Commandment #5
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #8
A.11.2.6 ITAR 22 Commandment #4
A.11.2.7 CFR § Commandment #5
120.17 Commandment #11
EAR 15 CFR
§736.2 (b)
Commandment #8
Commandment #3
Commandment #5
Commandment #2
Commandment #3
Commandment #5

CFR § Commandment #2
EAR 15 CFR Commandment #5
§736.2 (b)
Annex
A.10.1
A.10.1.1
A.10.1.2
5.2(c) Commandment #10
5.3(a) Commandment #11
5.3(b)
7.5.3(b)
7.5.3(d)
8.1
8.3
9.2(g)
A.8.2.3
A.10.1.2
A.18.1.5
A.10.1.1
A.18.1.3
A.18.1.4
Annex
A.10.1
A.10.1.1
A.10.1.2
Commandment #5
Commandment #11
Clauses EAR 15 CFR Commandment #1

5.2(c) §736.2 (b) Commandment #2
5.3(a) Commandment #3
5.3(b) Commandment #6
6.1.2 Commandment #7
6.1.2(a)(2) Commandment #9
6.1.3(b) Commandment #10
7.5.3(d)
8.1
8.2
8.3
9.2(g)
A.18.1.1
A.18.1.3
A.18.1.4
A.8.2.2
Clause 7.2(a,b) Commandment #6
A.9.2.5
A.18.2.2
All in sections 4, 5, 6, 7, 8, 9, Commandment #1

10. Commandment #2
A.6.1.1
A.13.2.4
A.6.1.3
A.6.1.4
A.18.2.1
All in section 5 plus clauses Commandment #3

4.4 Commandment #6
4.2(b)
6.1.2(a)(1)
6.2
6.2(a)
6.2(d)
7.1
7.4
9.3
10.2
7.2(a)
7.2(b)
Clause 4.3 Commandment #1
7.2(c)
Clause 5 Commandment #2
7.2(d)
4.4 Commandment #3
7.3(b)
4.2(b)
7.3(c)
6.1.2(a)(1)
6.2
6.2(a)
6.2(d)
7.1
7.4
9.3
10.2
7.2(a)
7.2(b)
7.2(c)
7.2(d)
7.3(b)
7.3(c)
A5.1.1
A.7.2.2
Commandment #7
Clause
4.2.1 a,
4.2(b)
4.3 c,
4.3(a&b)
4.4
5.1(c)
5.1(d)
5.1(e)
5.1(f)
5.1(g)
5.1(h)
5.2
5.2 e,
5.2(f)
5.3
6.1.1(e)(2),
6.1.2(a)(1)
6.2
6.2(a)
6.2(d)
6.2 e, Commandment #3
6.12 (a) (2),
7.1
7.2(a),
7.2(b)
7.2(c)
7.2(d)
7.3(b),
7.3(c)
7.4
7.5.1 (a)
8.1*, partial
8.2
9.1
9.1 e,
9.2,
9.3
9.3(a)
9.3(b&f)
9.3(c),
9.3(c)(1)
9.3(c)(2),
9.3(c)(3)
9.3(d)
9.3(e)
10.1(c)
10.2,
A.5.1.2
A.12.1.2
A.15.2.2
A.17.1.1
A.18.2.2
A.18.2.3
Clause
4.2(b),
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
Clause
6.1.3(a)
6.1.1,
6.1.3(b)
6.1.1(e)(2)
8.1
6.1.2
9.3(a),
6.1.2(a)(1)
9.3(b)
6.1.2(a)(2),
9.3(b)(f)
6.1.2(b)
9.3(c)(c)
6.1.2
9.3(c)(1)
6.1.2(c)(1),
9.3(c)(2)
6.1.2(c)(2)
9.3(c)(3)
6.1.2(d)
9.3(d)
6.1.2(d)(1)
9.3(e)
6.1.2(d)(2)
9.3(f)
6.1.2(d)(3)
A.14.2.3
6.1.2(e)
A.12.6.1
6.1.2(e)(1)
A.17.1.1
6.1.2(e)(2)
A.18.1.1
6.1.3,
A.18.2.2
6.1.3(a)
A.18.2.3
6.1.3(b)
8.3
A.8.1.1
9.3(a),
A.8.1.2
9.3(b)
A.8.1.4
9.3(b)(f)
9.3(c)
9.3(c)(1)
9.3(c)(2) CFR § Commandment #3
9.3(c)(3) 120.17 Commandment #6
9.3(d) EAR 15 CFR Commandment #9
9.3(e) §736.2 (b)
9.3(f)
A.13.2.4
A.7.1.2
A.18.2.2 120.17
A.18.2.3 EAR 15 CFR
§736.2 (b)
Commandment #7
A.8.2.1 ITAR 22 All

A.8.3.1 CFR §
A.8.3.2 120.17
A.8.3.3 EAR 15 CFR
A.6.2.1 §736.2 (b)
A.6.2.2
A.18.1.4

§736.2 (b)
Commandment #2
Commandment #3
Clause 7.2(a), 7.2(b) Commandment #3
Clause 7.2(a), 7.2(b) Commandment #5

A.11.2.8
Clause 7.2(a), 7.2(b) ITAR 22 Commandment #5

A.11.1.5 120.17 Commandment #7
A.9.3.1 EAR 15 CFR Commandment #11
A.11.2.8 §736.2 (b)
A.11.2.9
Commandment #2
Commandment #5
Commandment #11
A.9.2.1, CFR § Commandment #7
A.9.2.5 EAR 15 CFR
A.9.1.2 §736.2 (b)
A.9.4.1
Commandment #6
Commandment #7
Commandment #8
Annex
A.9.2
A.9.2.1
A.9.2.2
A.9.2.3,
A.9.2.4,
A.9.2.5,
A.9.2.6
Commandment #7
Commandment #8
Commandment #10
Clause ITAR 22 Commandment #6

5.2(c) CFR § Commandment #7
5.3(a), 120.17 Commandment #9
5.3(b), EAR 15 CFR Commandment #10
7.5.3(b) §736.2 (b)
7.5.3(d)
A.9.2.6
8.1,
A.9.1.1
8.3
A.9.2.1,
9.2(g) A.9.2.2
A.9.2.5
A.9.4.5
A.18.1.3
Annex
A.9.2,
A.9.2.1,
A.9.2.2,
A.9.2.3,
A.9.2.4,
A.9.2.5,
A.9.2.6,
A.9.3.1,
A.9.4.1,
A.9.4.2,
A.9.4.3,
A.9.4.5
A.9.2.1, A.9.2.2 Commandment #6

Commandment #10

§736.2 (b)
Annex A ITAR 22 Commandment #6
A.9.2.1, A.9.2.2 EAR 15 CFR
A.9.2.3 §736.2 (b)
A.9.2.1, A.9.2.2 Commandment #8
A.9.2.5
A.9.4.2
Deleted Commandment #5
Commandment #7
A.12.4.2, A.12.4.3 Commandment #11
A.12.4.3
A.12.4.1
A.9.2.3
A.9.4.4
A.9.4.1
A.16.1.2
A.16.1.7
A.18.2.3
A.18.1.3
Annex
A.12.1.2
A.12.4,
A.12.4.1,
A.12.4.2,
A.12.4.3,
A.12.6.1,
A.12.6.2,
A.12.4.1
A.16.1.1,
A.12.4.4
A.16.1.2,
A.16.1.3,
A.16.1.4,
A.16.1.5,
A.16.1.6,
A.12.1.3
Commandment #2
Commandment #3
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
A.18.1.4
Annex
A.12.1.4
A.12.2.1
A.12.4.1
A.12.6.1
8.1,partial, A.14.2.2
8.1,partial, A.14.2.3
8.1,partial, A.14.2.4
Commandment #9
Commandment #10
Commandment #11
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
A.8.1.1
6.1.2 (c) Commandment #1
A.8.1.2
6.1.2(c)(1), Commandment #2
A.8.1.3
6.1.2(c)(2) Commandment #3
A.11.2.1
6.1.2(d) Commandment #4
A.11.2.4
6.1.2(d)(1) Commandment #5
A.13.1.1
A.13.1.2
A.13.2.1
6.1.2(e) Commandment #11
A.8.3.3
6.1.2(e)(1)
A.12.4.1
6.1.2(e)(2)
A.9.2.1,
6.1.3, A.9.2.2
A.13.1.3
6.1.3(a)
A.10.1.1
6.1.3(b)
A.10.1.2
8.1
8.3
9.3(a),
9.3(b)
9.3(b)(f)
9.3(c)
9.3(c)(1)
9.3(c)(2)
9.3(c)(3)
9.3(d)
9.3(e)
9.3(f)
A.14.2.3
A.12.6.1
A.18.1.1
A.18.2.2
A.18.2.3
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
Clause
6.1.2(a)(1)
6.1.1,
6.1.2(a)(2),
6.1.1(e)(2)
6.1.2(b)
6.1.2
6.1.2 (c)
6.1.2(a)(1)
6.1.2(c)(1),
6.1.2(a)(2),
6.1.2(c)(2)
6.1.2(b)
6.1.2(d)
6.1.2 (c)
6.1.2(d)(1)
6.1.2(c)(1),
6.1.2(d)(2)
6.1.2(c)(2)
6.1.2(d)(3)
6.1.2(d)
6.1.2(e)
6.1.2(d)(1)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
Clause
6.1.2(d)(1)
6.1.1,
6.1.2(d)(2)
6.1.1(e)(2)
6.1.2(d)(3)
6.1.2
6.1.2(e)
6.1.2(a)(1)
6.1.2(e)(1)
6.1.2(a)(2),
Clause
6.1.2(e)(2)
6.1.2(b)
6.1.1,
6.1.3,
6.1.2 (c)
6.1.1(e)(2)
6.1.3(a)
6.1.2(c)(1),
6.1.2
6.1.3(b)
6.1.2(c)(2)
6.1.2(a)(1)
8.1
6.1.2(d)
6.1.2(a)(2),
8.3
6.1.2(d)(1)
Clause
6.1.2(b)
9.3(a),
6.1.2(d)(2)
6.1.1,
6.1.2
9.3(b) (c)
6.1.2(d)(3)
6.1.1(e)(2)
6.1.2(c)(1),
9.3(b)(f)
6.1.2(e)
6.1.2
6.1.2(c)(2)
9.3(c)
Clause
6.1.2(e)(1)
6.1.2(a)(1)
6.1.2(d)
9.3(c)(1)
6.1.1,
6.1.2(e)(2)
6.1.2(a)(2),
6.1.2(d)(1)
9.3(c)(2)
6.1.1(e)(2)
6.1.3,
6.1.2(b)
6.1.2(d)(2)
9.3(c)(3)
6.1.2
6.1.3(a)
6.1.2
9.3(d)(c)
6.1.2(d)(3)
6.1.2(a)(1)
6.1.3(b)
Clause
6.1.2(c)(1),
6.1.2(e)
9.3(e)
6.1.2(a)(2),
8.1
6.1.1,
6.1.2(c)(2)
6.1.2(e)(1)
9.3(f)
6.1.2(b)
8.3
6.1.1(e)(2)
6.1.2(d)
6.1.2(e)(2)
A.14.2.3
6.1.2 (c)
9.3(a),
6.1.2
6.1.2(d)(1)
6.1.3,
A.12.6.1
Clause
6.1.2(c)(1),
9.3(b)
6.1.2(a)(1)
6.1.2(d)(2)
6.1.3(a)
A.18.1.1
6.1.1,
6.1.2(c)(2)
9.3(b)(f)
6.1.2(a)(2),
6.1.2(d)(3)
6.1.3(b)
A.18.2.2
6.1.1(e)(2)
6.1.2(d)
9.3(c)
6.1.2(b)
6.1.2(e)
8.1
A.18.2.3
6.1.2
6.1.2(d)(1)
9.3(c)(1)
Clause
6.1.2 (c)
6.1.2(e)(1)
8.3
6.1.2(a)(1)
6.1.2(d)(2)
9.3(c)(2)
6.1.1,
6.1.2(c)(1),
6.1.2(e)(2)
9.3(a),
6.1.2(a)(2),
6.1.2(d)(3)
9.3(c)(3)
6.1.1(e)(2)
6.1.2(c)(2)
6.1.3,
9.3(b)
6.1.2(b)
6.1.2(e)
9.3(d)
6.1.2
6.1.2(d)
6.1.3(a)
9.3(b)(f)
6.1.2 (c)
6.1.2(e)(1)
9.3(e)
6.1.2(a)(1)
6.1.2(d)(1)
6.1.3(b)
9.3(c)
6.1.2(c)(1),
6.1.2(e)(2)
9.3(f)
6.1.2(a)(2),
6.1.2(d)(2)
8.1
9.3(c)(1)
6.1.2(c)(2)
6.1.3,
Clause
A.14.2.3
6.1.2(b)
6.1.2(d)(3)
8.3
9.3(c)(2)
6.1.2(d)
6.1.3(a)
6.1.1,
A.12.6.1
6.1.2 (c)
6.1.2(e)
9.3(a),
9.3(c)(3)
6.1.2(d)(1)
6.1.3(b)
6.1.1(e)(2)
A.18.1.1
6.1.2(c)(1),
6.1.2(e)(1)
9.3(b)
9.3(d)
6.1.2(d)(2)
8.1
6.1.2
A.18.2.2
6.1.2(c)(2)
Clause
6.1.2(e)(2)
9.3(b)(f)
9.3(e)
6.1.2(d)(3)
8.3
6.1.2(a)(1)
A.18.2.3
6.1.2(d)
6.1.1,
6.1.3,
9.3(c)
9.3(f)
6.1.2(e)
9.3(a),
6.1.2(a)(2),
6.1.2(d)(1)
6.1.1(e)(2)
6.1.3(a)
9.3(c)(1)
A.14.2.3
6.1.2(e)(1)
9.3(b)
6.1.2(b)
6.1.2(d)(2)
6.1.2
6.1.3(b)
9.3(c)(2)
A.12.6.1
Clause
6.1.2(e)(2)
9.3(b)(f)
6.1.2 (c)
6.1.2(d)(3)
6.1.2(a)(1)
8.1
9.3(c)(3)
A.18.1.1
6.1.1,
6.1.3,
9.3(c)
6.1.2(c)(1),
6.1.2(e)
6.1.2(a)(2),
8.3
9.3(d)
A.18.2.2
6.1.1(e)(2)
6.1.3(a)
9.3(c)(1)
6.1.2(c)(2)
Clause
6.1.2(e)(1)
6.1.2(b)
9.3(a),
9.3(e)
A.18.2.3
6.1.2
6.1.3(b)
9.3(c)(2)
6.1.2(d)
6.1.1,
6.1.2(e)(2)
6.1.2
9.3(b)
9.3(f) (c)
6.1.2(a)(1)
8.1
9.3(c)(3)
6.1.2(d)(1)
6.1.1(e)(2)
6.1.3,
6.1.2(c)(1),
9.3(b)(f)
A.14.2.3
6.1.2(a)(2),
8.3
9.3(d)
6.1.2(d)(2)
6.1.2
6.1.3(a)
6.1.2(c)(2)
9.3(c)
A.12.6.1
6.1.2(b)
9.3(a),
9.3(e)
6.1.2(d)(3)
6.1.2(a)(1)
6.1.3(b)
6.1.2(d)
9.3(c)(1)
A.18.1.1
6.1.2
9.3(b)
9.3(f) (c)
6.1.2(e)
6.1.2(a)(2),
8.1
6.1.2(d)(1)
9.3(c)(2)
A.18.2.2
6.1.2(c)(1),
9.3(b)(f)
A.14.2.3
6.1.2(e)(1)
6.1.2(b)
8.3
6.1.2(d)(2)
9.3(c)(3)
A.18.2.3
6.1.2(c)(2)
9.3(c)
A.12.6.1
6.1.2(e)(2)
6.1.2 (c)
9.3(a),
6.1.2(d)(3)
9.3(d)
6.1.2(d)
9.3(c)(1)
A.18.1.1
6.1.3,
6.1.2(c)(1),
9.3(b)
6.1.2(e)
9.3(e)
6.1.2(d)(1)
9.3(c)(2)
A.18.2.2
6.1.3(a)
6.1.2(c)(2)
9.3(b)(f)
6.1.2(e)(1)
9.3(f)
6.1.2(d)(2)
9.3(c)(3)
A.18.2.3
6.1.3(b)
6.1.2(d)
9.3(c)
6.1.2(e)(2)
A.14.2.3
6.1.2(d)(3)
9.3(d)
8.1
6.1.2(d)(1)
9.3(c)(1)
6.1.3,
A.12.6.1
6.1.2(e)
9.3(e)
8.3
6.1.2(d)(2)
9.3(c)(2)
6.1.3(a)
A.18.1.1
6.1.2(e)(1)
9.3(f)
9.3(a),
6.1.2(d)(3)
9.3(c)(3)
6.1.3(b)
A.18.2.2
6.1.2(e)(2)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
Clause
6.1.2(a)(1)
6.1.1,
6.1.2(a)(2),
6.1.1(e)(2)
6.1.2(b)
6.1.2
Clause
6.1.2 (c)
6.1.2(a)(1)
6.1.1,
6.1.2(c)(1),
6.1.2(a)(2),
6.1.1(e)(2)
6.1.2(c)(2)
6.1.2(b)
6.1.2
6.1.2(d)
6.1.2 (c)
6.1.2(a)(1)
6.1.2(d)(1)
6.1.2(c)(1),
6.1.2(a)(2),
6.1.2(d)(2)
6.1.2(c)(2)
Clause
6.1.2(b)
6.1.2(d)(3)
6.1.2(d)
6.1.1,
6.1.2 (c)
6.1.2(e)
6.1.2(d)(1)
6.1.1(e)(2)
6.1.2(c)(1),
6.1.2(e)(1)
6.1.2(d)(2)
6.1.2
6.1.2(c)(2)
6.1.2(e)(2)
6.1.2(d)(3)
6.1.2(a)(1)
6.1.2(d)
6.1.3,
6.1.2(e)
6.1.2(a)(2),
6.1.2(d)(1)
6.1.3(a)
Clause
6.1.2(e)(1)
6.1.2(b)
6.1.2(d)(2)
6.1.3(b)
6.1.1,
6.1.2(e)(2)
6.1.2 (c)
6.1.2(d)(3)
8.1
6.1.1(e)(2)
6.1.3,
6.1.2(c)(1),
6.1.2(e)
8.3
6.1.2
6.1.3(a)
6.1.2(c)(2)
Clause
6.1.2(e)(1)
9.3(a),
6.1.2(a)(1)
6.1.3(b)
6.1.2(d)
6.1.1,
6.1.2(e)(2)
9.3(b)
6.1.2(a)(2),
8.1
6.1.2(d)(1)
6.1.1(e)(2)
6.1.3,
9.3(b)(f)
6.1.2(b)
8.3
6.1.2(d)(2)
6.1.2
6.1.3(a)
9.3(c)
Clause
6.1.2
9.3(a),(c)
6.1.2(d)(3)
6.1.2(a)(1)
6.1.3(b)
9.3(c)(1)
6.1.1,
6.1.2(c)(1),
9.3(b)
6.1.2(e)
6.1.2(a)(2),
8.1
9.3(c)(2)
6.1.1(e)(2)
6.1.2(c)(2)
9.3(b)(f)
6.1.2(e)(1)
6.1.2(b)
8.3
9.3(c)(3)
6.1.2
6.1.2(d)
9.3(c)
6.1.2(e)(2)
6.1.2
9.3(a),(c)
9.3(d)
6.1.2(a)(1)
6.1.2(d)(1)
9.3(c)(1)
6.1.3,
6.1.2(c)(1),
9.3(b)
9.3(e)
6.1.2(a)(2),
6.1.2(d)(2)
9.3(c)(2)
6.1.3(a)
6.1.2(c)(2)
Clause
9.3(b)(f)
9.3(f)
6.1.2(b)
6.1.2(d)(3)
9.3(c)(3)
6.1.3(b)
6.1.2(d)
6.1.1,
9.3(c)
A.14.2.3
6.1.2 (c)
6.1.2(e)
9.3(d)
8.1
6.1.2(d)(1)
6.1.1(e)(2)
9.3(c)(1)
A.12.6.1
6.1.2(c)(1),
6.1.2(e)(1)
9.3(e)
8.3
6.1.2(d)(2)
6.1.2
9.3(c)(2)
A.18.1.1
6.1.2(c)(2)
6.1.2(e)(2)
9.3(f)
9.3(a),
6.1.2(d)(3)
6.1.2(a)(1)
9.3(c)(3)
A.18.2.2
6.1.2(d)
6.1.3,
Clause
A.14.2.3
9.3(b)
6.1.2(e)
6.1.2(a)(2),
9.3(d)
A.18.2.3
6.1.2(d)(1)
6.1.3(a)
6.1.1,
A.12.6.1
9.3(b)(f)
6.1.2(e)(1)
6.1.2(b)
9.3(e)
6.1.2(d)(2)
6.1.3(b)
6.1.1(e)(2)
A.18.1.1
9.3(c)
6.1.2(e)(2)
6.1.2
9.3(f) (c)
6.1.2(d)(3)
8.1
6.1.2
A.18.2.2
9.3(c)(1)
6.1.3,
6.1.2(c)(1),
A.14.2.3
6.1.2(e)
8.3
6.1.2(a)(1)
A.18.2.3
9.3(c)(2)
6.1.3(a)
6.1.2(c)(2)
A.12.6.1
Clause
6.1.2(e)(1)
9.3(a),
6.1.2(a)(2),
9.3(c)(3)
6.1.3(b)
6.1.2(d)
A.18.1.1
6.1.1,
6.1.2(e)(2)
9.3(b)
6.1.2(b)
9.3(d)
8.1
6.1.2(d)(1)
A.18.2.2
6.1.1(e)(2)
6.1.3,
9.3(b)(f)
6.1.2 (c)
9.3(e)
8.3
6.1.2(d)(2)
A.18.2.3
6.1.2
6.1.3(a)
9.3(c)
6.1.2(c)(1),
9.3(f)
9.3(a),
6.1.2(d)(3)
6.1.2(a)(1)
6.1.3(b)
9.3(c)(1)
6.1.2(c)(2)
A.14.2.3
9.3(b)
6.1.2(e)
6.1.2(a)(2),
8.1
9.3(c)(2)
6.1.2(d)
A.12.6.1
9.3(b)(f)
6.1.2(e)(1)
6.1.2(b)
8.3
9.3(c)(3)
6.1.2(d)(1)
A.18.1.1
9.3(c)
Clause
6.1.2(e)(2)
6.1.2 (c)
9.3(a),
9.3(d)
6.1.2(d)(2)
A.18.2.2
9.3(c)(1)
6.1.1,
6.1.3,
6.1.2(c)(1),
9.3(b)
9.3(e)
6.1.2(d)(3)
A.18.2.3
9.3(c)(2)
6.1.1(e)(2)
6.1.3(a)
6.1.2(c)(2)
9.3(b)(f)
9.3(f)
6.1.2(e)
9.3(c)(3)
6.1.2
6.1.3(b)
6.1.2(d)
9.3(c)
A.14.2.3
6.1.2(e)(1)
9.3(d)
6.1.2(a)(1)
8.1
6.1.2(d)(1)
9.3(c)(1)
A.12.6.1
6.1.2(e)(2)
9.3(e)
6.1.2(a)(2),
8.3
6.1.2(d)(2)
9.3(c)(2)
A.18.1.1
6.1.3,
9.3(f)
6.1.2(b)
9.3(a),
6.1.2(d)(3)
9.3(c)(3)
A.18.2.2
6.1.3(a)
A.14.2.3
6.1.2
9.3(b) (c)
6.1.2(e)
9.3(d)
A.18.2.3
6.1.3(b)
A.12.6.1
6.1.2(c)(1),
9.3(b)(f)
6.1.2(e)(1)
9.3(e)
8.1
A.18.1.1
6.1.2(c)(2)
9.3(c)
6.1.2(e)(2)
9.3(f)
8.3
A.18.2.2
6.1.2(d)
9.3(c)(1)
6.1.3,
A.14.2.3
9.3(a),
A.18.2.3
6.1.2(d)(1)
9.3(c)(2)
6.1.3(a)
A.12.6.1
9.3(b)
6.1.2(d)(2)
9.3(c)(3)
6.1.3(b)
A.18.1.1
9.3(b)(f)
6.1.2(d)(3)
9.3(d)
8.1
A.18.2.2
9.3(c)
6.1.2(e)
9.3(e)
8.3
A.18.2.3
9.3(c)(1)
6.1.2(e)(1)
9.3(f)
9.3(a),
9.3(c)(2)
6.1.2(e)(2)
A.14.2.3
9.3(b)
9.3(c)(3)
6.1.3,
A.12.6.1
9.3(b)(f)
9.3(d)
6.1.3(a)
A.18.1.1
9.3(c)
Commandment #3

5.3 (a), CFR § Commandment #6
5.3 (b), 127.12 Commandment #8
7.5.3(b),
5.2 (c),
7.5.3(d),
8.1,
8.3,
9.2(g),
Annex
A.16.1.1
A.16.1.2
5.2 (c), CFR § Commandment #6
5.3 (a), 127.12 Commandment #8
5.3 (b),
7.2(a),
7.2(b),
7.2(c),
7.2(d),
7.3(b),
7.3(c)
7.5.3(b),
7.5.3(d),
8.1,
8.3,
9.2(g)
Annex
A.6.1.1
A.7.2.1,
A.7.2.2,
A.16.1.2,
A.16.1.3,
A.16.1.1
Clause
5.2 (c),
5.3 (a),
5.3 (b),
7.2(a),
7.2(b),
7.2(c),
7.2(d),
7.3(b),
7.3(c)
7.5.3(b),
7.5.3(d),
8.1,
8.3,
9.2(g)
Annex
A.7.2.2,
A.7.2.3,
A.16.1.7,
A.18.1.3
A.16.1.6
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
Clause
6.1.2 (c)
6.1.1,
6.1.2(c)(1),
6.1.1(e)(2)
6.1.2(c)(2)
6.1.2
6.1.2(d)
6.1.2(a)(1)
6.1.2(d)(1)
6.1.2(a)(2),
6.1.2(d)(2)
A.15.1.2
6.1.2(d)(3)
A.13.1.2
6.1.2(e)
6.1.2(e)(1)
6.1.2(c)(2)
6.1.2(e)(2)
6.1.2(d)
6.1.3,
6.1.2(d)(1)
6.1.3(a)
6.1.2(d)(2)
6.1.3(b)
6.1.2(d)(3)
8.1
6.1.2(e)
8.3
6.1.2(e)(1)
9.3(a),
6.1.2(e)(2)
9.3(b)
6.1.3,
9.3(b)(f)
6.1.3(a)
9.3(c)
6.1.3(b)
9.3(c)(1)
8.1
9.3(c)(2)
8.3
9.3(c)(3)
9.3(a),
9.3(d)
9.3(b)
9.3(e)
9.3(b)(f)
9.3(f)
9.3(c)
A.14.2.3
9.3(c)(1)
A.12.6.1
9.3(c)(2)
A.18.1.1
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
A.15.1.2,
8.1* partial,
A.13.2.2,
A.9.4.1
6.1.2(d) Commandment #6
A.10.1.1
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
6.1.3(b)
8.1
8.3
9.3(a),
9.3(b)
9.3(b)(f)
9.3(c)
9.3(c)(1)
9.3(c)(2)
9.3(c)(3)
9.3(d)
9.3(e)
9.3(f)
A.14.2.3
A.12.6.1
A.18.1.1
A.18.2.2
A.18.2.3
ITAR 22
CFR §
120.17
EAR 15 CFR
§736.2 (b)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
Clause
6.1.2 (c)
6.1.1,
6.1.2(c)(1),
6.1.1(e)(2)
6.1.2(c)(2)
6.1.2
6.1.2(d)
6.1.2(a)(1)
6.1.2(d)(1)
6.1.2(a)(2),
6.1.2(d)(2)
6.1.2(b)
6.1.2(d)(3)
6.1.2 (c)
6.1.2(e)
6.1.2(c)(1),
6.1.2(e)(1)
6.1.2(c)(2)
6.1.2(e)(2)
6.1.2(d)
6.1.3,
6.1.2(d)(1)
6.1.3(a)
6.1.2(d)(2)
6.1.3(b)
6.1.2(d)(3)
8.1
6.1.2(e)
8.3
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
A.15.1.2
8.1* partial,
8.1* partial, A.15.2.1
A.13.1.2
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
6.1.3(b)
8.1
8.3
9.3(a),
9.3(b)
9.3(b)(f)
9.3(c)
9.3(c)(1)
9.3(c)(2)
9.3(c)(3)
9.3(d)
9.3(e)
A.12.2.1
9.3(f) Commandment #4
Commandment #5
8.1*partial, A.14.2.2, Commandment #4

8.1*partial, A.14.2.3 Commandment #5
A.12.6.1
Commandment #2
Commandment #3
Commandment #5
Commandment #11
Mexico - Federal Law on Protection of Personal Data Held by Private
NERC CIP
Parties
CIP-007-3 - R5.1
CIP-003-3 - R4.2
Chapter VI, Section 1 CIP-003-3 - R1.3 - R4.3

Article 39, I. and VIII. CIP-004-3 R4 - R4.2
CIP-005-3a - R1 - R1.1 - R1.2
Chapter 8
Article 59
CIP-005-3a - R1.3
CIP-007-3 - R9
CIP-004-3 R3.2
CIP-007-3 - R6.1 - R6.2 - R6.3

- R6.4
CIP-007-3 - R8 - R8.1 - R8.2 -
R8.3
Chapter II CIP-003-3 - R4.1
Article 11, 13
CIP-003-3 - R6
General Provisions, Article 3, V. and VI. CIP-003-3 - R4 - R5

Chapter II CIP-003-3 - R4 - R4.1
Article 8, 9, 11, 12, 14, 18, 19, 20, 21
CIP-003-3 - R6
Chapter IV CIP-007-3 - R1.1 - R1.2

Article 30
CIP-007-3 - R7 - R7.1 - R7.2
R7.3
CIP-006-3c R1.2 - R1.3 - R1.4

- R1.6 - R1.6.1 - R2 - R2.2
CIP-006-3c R1.2 - R1.3 - R1.4
-R2 - R2.2
CIP-006-3c R1.2 - R1.3 - R1.4
Chapter II, CIP-006-3c R1.2 - R1.3 - R1.4

Article 19 - R1.6 - R1.6.1 - R2 - R2.2
CIP-003-3 - R4.2
Chapter II, Article 19 and Chapter VI, Section I, Article 39

Chapter II, Article 19 CIP-001-1a - R1 - R2
CIP-003-3 - R1 - R1.1 - R4
CIP-006-3c R1
Chapter VI, Section I, Article 39 CIP-003-3 - R1 - R1.1
Chapter VI, Section I, Article 39 CIP-003-3 - R1 -R1.1 - R1.2 -

R2 - R2.1 - R2.2 - R2.3
Chapter X, Article 64
CIP-009-3 - R2
CIP-003-3 - R3.2 - R3.3 - R1.3

R3 - R3.1 - R3.2 - R3.3
CIP-002-3 - R1.1 - R1.2
CIP-005-3a - R1 - R1.2
CIP-009-3 - R.1.1
Chapter II CIP-009-3 - R4
Article 19
CIP-004-3 - R2.2
CIP-007-3 - R7.1
Chapter VI, Section I, Article 39 and Chapyer VI, Section II, Article 41 CIP-004-3 - R1 - R2 - R2.1
Chapter VI, Section I, Article 39 and Chapyer VI, Section II, Article 41
CIP-003-3 - R5.2
CIP-007-3 - R5.1 - R5.1.2
CIP-007-3 - R2
CIP-007-3 R5.1.1
CIP-003-3 - R5.1.1 - R5.3
CIP-004-3 R2.3
CIP-007-3 R5.1 - R5.1.2
CIP-004-3 R2.2.2
CIP-007-3 - R5 - R.1.3
CIP-004-3 R2.2.3
CIP-007-3 - R5.1.3 -R5.2.1 -
R5.2.3
CIP-004-3 R2.2.3
CIP-007-3 - R5.2 - R5.3.1 -
R5.3.2 - R5.3.3
CIP-007-3 - R2.1 - R2.2 - R2.3

CIP-007-3 - R6.5
CIP-004-3 R2.2.4
CIP-004-3 R3
CIP-004-3 R3
CIP-007-3 - R6.1
Chapter VI, CIP-001-1a R3 - R4
Article 44.
Chatper II,
Article 16, part I
Chapter II, Article 20 CIP-007-3 - R6.1

CIP-008-3 - R1
Chapter II, Article 20 CIP-003-3 - R4.1

CIP-004-3 R3.3
CIP-004-3 R3.3
CIP-008-3 - R1.1
Chapter II
Article 14.
Chapter II
Article 14, 21
Chapter III
Article 25
Chapter V
Article 36
CIP-007-3 - R4 - R4.1 - R4.2
CIP-004-3 R4 - 4.1 - 4.2

CIP-005-3a - R1 - R1.1
CIP-007-3 - R3 - R3.1 - R8.4
FedRAMP CLOUD CONTROLS MATRIX v3.0.1 Candidate Mapping
NIST SP800-53 R4 App

NIST SP800-53 R3 NIST SP800-53 R4
J
SC-2 SA-8 AR-7 The organization

SC-3 SC-2 designs information
SC-4 SC-4 systems to support
SC-5 SC-5 privacy by automating
SC-6 SC-6 privacy controls.
SC-7 SC-7
SC-8 SC-7(3)
SC-9 SC-7(4)
SC-10 SC-7(5)
SC-11 SC-7(7)
SC-12 SC-7(8)
SC-13 SC-7(12)
SC-14 SC-7(13)
SC-17 SC-7(18)
SC-18 SC-8
SC-20 SC-8(1)
SC-21 SC-10
SC-22 SC-13
SC-23 SC-17
SC-18
CA-1 CA-1 AP-1 The organization

CA-2 CA-5 determines and
CA-5 CA-6 documents the legal
CA-6 authority that permits the
collection, use,
maintenance, and sharing
of personally identifiable
information (PII), either
generally or in support of
a specific program or
information system need.
SI-10 AC-2 AR-7 The organization
SI-11 AC-3 designs information
SI-2 AC-5 systems to support
SI-3 AC-6 privacy by automating
SI-4 AC-6(10) privacy controls.
SI-6 SI-2
SI-7 SI-2(3)
SI-9 SI-3
SI-3(1)
SI-3(2)
SI-4
SI-4(2)
SI-4(4)
SI-4(5)
SI-6
SI-7
SI-7(1)
SI-7(7)
SI-10
AC-1 SI-11
AC-4 AR-7 The organization
AC-4 SC-1 designs information
SC-1 SC-8 systems to support
SC-16 SC-8(1) privacy by automating
privacy controls.
CA-2 CA-2 AR-4 Privacy Auditing

CA-7 CA-2(1) and Monitoring. To
PL-6 CA-7 promote accountability,
organizations identify and
address gaps in privacy
compliance,
management,
operational, and technical
controls by conducting
CA-1 CA-1 regularPrivacy
AR-4. assessments
Auditing
CA-2 CA-2 (e.g., internal riskThese
and Monitoring.
CA-6 CA-2(1) assessments).
assessments can Audit for
be self-
RA-5 CA-6 effective implementation
assessments or thirdparty
CA-8 of all privacy
audits controls
that result in
RA-5 identified
reports onincompliance
this appendix,
RA-5(1) organizations
gaps identifiedassess
in
RA-5(2) whether
programs, they: (i)
projects, and
RA-5(3) implement asystems.
information process to
RA-5(6) embed privacy
considerations into the life
cycle of personally
identifiable information
(PII), programs,
information systems,
mission/business
processes, and
technology; (ii) monitor for
changes to applicable
privacy laws, regulations,
AC-1 AC-1
AT-1 AT-1
AU-1 AU-1
CA-1 CA-1
CM-1 CM-1
CP-1 CP-1
IA-1 IA-1
IA-7 IA-7
IR-1 IR-1
MA-1 MA-1
MP-1 MP-1
PE-1 PE-1
PL-1 PL-1
PM-1 PS-1
PS-1 RA-1
RA-1 RA-2
RA-2 SA-1
SA-1 SC-1
SA-6 SC-13
SC-1 SI-1
SC-13 SI-7
SI-1
CP-1 CP-1 UL-2 INFORMATION

CP-2 CP-2 SHARING WITH THIRD
CP-3 CP-2(1) PARTIES - a. Shares
CP-4 CP-2(2) personally identifiable
CP-6 CP-3 information (PII)
CP-7 CP-4 externally, only for the
CP-8 CP-4(1) authorized purposes
CP-9 CP-6 identified in the Privacy
CP-10 CP-6(1) Act and/or described in its
PE-17 CP-6(3) notice(s) or for a purpose
CP-7 that is compatible with
CP-7(1) those purposes; b. Where
CP-7(2) appropriate, enters into
CP-7(3) Memoranda of
CP-8 Understanding,
CP-8(1) Memoranda of
CP-8(2) Agreement, Letters of
CP-9 Intent, Computer
CP-9(1) Matching Agreements, or
CP-9(3) similar agreements, with
CP-10 third parties that
CP-10(2) specifically describe the
IR-9(1) PII covered and
PE-17 specifically enumerate the
purposes for which the PII
may be used; c. Monitors,
audits, and trains its staff
on the authorized sharing
of PII with third parties
and on the consequences
of unauthorized use or
sharing of PII; and d.
Evaluates any proposed
new instances of sharing
PII with third parties to
assess whether the
sharing is authorized and
whether additional or new
public notice is required.
CP-2 CP-2
CP-3 CP-2(1)
CP-4 CP-2(2)
CP-3
CP-4
CP-4(1)
IR-9(2)
PE-1 IR-9(4)
IR-9(3)
PE-4 PE-1
PE-13 PE-4
PE-13
PE-13(2)
PE-13(3)
CP-9 AC-6(5)
CP-10 CP-9
SA-5 CP-9(1)
SA-10 CP-9(3)
SA-11 CP-10
CP-10(2)
SA-4(1)
SA-4(2)
SA-5
SA-10
SA-11
SA-11(1)
PE-1 PE-1
PE-13 PE-13
PE-14 PE-13(2)
PE-15 PE-13(3)
PE-18 PE-14
PE-15
PE-1 IR-9(4)
PE-5 PE-1
PE-14 PE-5
PE-15 PE-14
PE-18 PE-15
MA-2 IR-3(2)
MA-3 MA-2
MA-4 MA-3
MA-5 MA-3(1)
MA-6 MA-3(2)
MA-3(3)
MA-4
MA-4(2)
MA-5
MA-6
CP-8 CP-8
PE-1 CP-8(1)
PE-9 CP-8(2)
PE-10 IR-3(2)
PE-11 PE-1
PE-12 PE-9
PE-13 PE-10
PE-14 PE-11
PE-12
PE-13
PE-13(2)
PE-13(3)
PE-14
RA-3 CP-1
CP-2
CP-2(3)
CP-2(8)
RA-3
CM-2 CM-2
CM-3 CM-2 (1)
CM-4 CM-2 (3)
CM-5 CM-2 (7)
CM-6 CM-3
CM-9 CM-4
MA-4 CM-5
SA-3 CM-6
SA-4 CM-6 (1)
SA-5 CM-9
SA-8 IR-9 (2)
SA-10 MA-4
SA-11 MA-4 (2)
SA-12 SA-3
SA-4
SA-4 (1)
SA-4 (2)
SA-5
SA-8
SA-10
SA-11
SA-11 (1)
SI-7
CP-2 CP-2 FTC Fair Information

CP-6 CP-2 (1) Principles
CP-7 CP-2 (2)
CP-8 CP-6 Integrity/Security
CP-9 CP-6 (1)
SI-12 CP-6 (3) Security involves both
AU-11 CP-7 managerial and technical
CP-7 (1) measures to protect
CP-7 (2) against loss and the
CP-7 (3) unauthorized access,
CP-8 destruction, use, or
CP-8 (1) disclosure of the data.(49)
CP-8 (2) Managerial measures
CP-9 include internal
CP-9 (1) organizational measures
CP-9 (3) that limit access to data
and ensure that those
individuals with access do
not utilize the data for
unauthorized purposes.
Technical security
measures to prevent
unauthorized access
include encryption in the
transmission and storage
of data; limits on access
through use of
passwords; and the
storage of data on secure
servers or computers . -
http://www.ftc.gov/reports/
privacy3/fairinfo.shtm
CA-1 CA-1
CM-1 CM-1
CM-9 CM-9
PL-1 PL-1
PL-2 SA-1
SA-1 SA-3
SA-3 SA-4
SA-4 SA-4 (1)
SA-10 (1)
SA-4 SA-4
SA-5 SA-4 (1)
SA-8 SA-4 (2)
SA-9 SA-4 (9)
SA-10 SA-5
SA-11 SA-8
SA-12 SA-9
SA-13 SA-9 (1)
SA-10
SA-10 (1)
SA-11
SA 11 (1)
CM-1 CM-1
CM-2 CM-2
SA-3 CM-2 (1)
SA-4 CM-2 (2)
SA-5 CM-2 (3)
SA-8 CM-2 (7)
SA-10 SA-3
SA-11 SA-4
SA-13 SA-4 (1)
SA-4 (2)
SA-5
SA-8
SA-10
SA-10 (1)
SA-11
SA-11 (1)
CM-1 AC-6 (10) FTC Fair Information

CM-2 CM-1 Principles
CM-3 CM-2
CM-5 CM-2 (1) Involves both managerial
CM-7 CM-2 (3) and technical measures
CM-8 CM-2 (7) to protect against loss
CM-9 CM-3 and the unauthorized
SA-6 CM-5 access, destruction, use,
SA-7 CM-5 (1) or disclosure of the data.
SI-1 CM-5 (3) (49) Managerial
SI-3 CM-5 (5) measures include internal
SI-4 CM-7 organizational measures
SI-7 CM-7 (1) that limit access to data
CM-8 and ensure that those
CM-8 (1) individuals with access do
CM-8 (3) not utilize the data for
CM-8 (5) unauthorized purposes.
CM-9 Technical security
CM-10 measures to prevent
CM-10 (1) unauthorized access
SI-1 include encryption in the
SI-3 transmission and storage
SI-3 (1) of data; limits on access
SI-3 (2) through use of
SI-4 passwords; and the
SI-4 (2) storage of data on secure
SI-4 (4) servers or computers . -
SI-4 (5) http://www.ftc.gov/reports/
SI-7 privacy3/fairinfo.shtm
SI-7 (1)
CA-1 CA-1 AR- 4. Privacy Monitoring
CA-6 CA-6 and Auditing.
CA-7 CA-7 Organizations also: (i)
CM-2 CM-2 implement technology to
CM-3 CM-2 (1) audit for the security,
CM-5 CM-2 (2) appropriate use, and loss
CM-6 CM-2 (3) of PII; (ii) perform reviews
CM-9 CM-2 (7) to ensure physical
PL-2 CM-3 security of documents
PL-5 CM-5 containing PII; (iii) assess
SI-2 CM-5 (1) contractor compliance
SI-6 CM-5 (5) with privacy requirements;
SI-7 CM-6 and (iv) ensure that
CM-6 (1) corrective actions
CM-9 identified as part of the
SI-2 assessment process are
SI-2 (2) tracked and monitored
SI-6 until audit findings are
SI-7 corrected. The
SI-7 (1) organization Senior
Agency Official for
Privacy (SAOP)/Chief
Privacy Officer (CPO)
coordinates monitoring
and auditing efforts with
information security
officials and ensures that
RA-2 AC-4 the
DM-1 results are provided
Minimization of to
AC-4 RA-2 senior managers and
Personsally Identifidable
oversight
Information. officials.
DM-2 Data
Retention & Disposal.
DM-3 Minimization of PII
used in Testing, Training,
and Research.
TR-2 SYSTEM OF
RECORDS NOTICES
AND PRIVACY ACT
STATEMENTS
AC-14 AC-1 TR-2 SYSTEM OF
AC-21 AC-22 RECORDS NOTICES
AC-22 SC-8 AND PRIVACY ACT
IA-8 SC-8(1) STATEMENTS
AU-10 SI-7
SC-4
SC-8
SC-9
AC-16 AC-1 DM-1 Minimization of

MP-1 MP-1 Personsally Identifidable
MP-3 MP-3 Information. DM-2 Data
PE-16 PE-16 Retention & Disposal.
SI-12 SI-1 DM-3 Minimization of PII
SC-9 SI-12 used in Testing, Training,
and Research. SE-1
INVENTORY OF
PERSONALLY
IDENTIFIABLE
SA-11 AC-4(21) INFORMATION
DM-1 Minimization of
CM-04 SA-11 Personsally Identifidable
SA-11(1) Information. DM-2 Data
Retention & Disposal.
DM-3 Minimization of PII
used in Testing, Training,
and Research.
CA-2 AC-4(21) AP-1 AUTHORITY TO

PM-5 MP-7(1) COLLECT. AP-2
PS-2 PS-2 PURPOSE
RA-2 SA-2 SPECIFICATION.
SA-2 RA-2
MP-6 AC-4(21) DM-2 DATA RETENTION
PE-1 PE-1 AND DISPOSAL
MP-7
MP-7(1)
PE-2 PE-2
PE-3 PE-3
PE-6 PE-6
PE-7 PE-6(1)
PE-8 PE-8
PE-18
IA-3 IA-3
IA-4 IA-4
IA-4(4)
AC-17 AC-1
MA-1 AC-17
PE-1 AC-17(1)
PE-16 AC-17(2)
PE-17 AC-17(3)
AC-17(4)
MA-1
PE1
PE-16
PE-17
CM-8 CM-8
CM-8(1)
CM-8(3)
CM-8(5)
MP-6
MP-6(2)
PE-2 PE-2
PE-3 PE-3
PE-4 PE-4
PE-5 PE-5
PE-6 PE-6
PE-6(1)
PE-7 PE-16
PE-16
PE-18
MA-1 MA-1
MA-2 MA-2
PE-16 PE-16
SC-39
PE-2 PE-2
PE-3 PE-3
PE-6 PE-6
PE-18 PE-6(1)
SC-12 SC-12
SC-13 SC-13
SC-17 SC-17
SC-28 SC-28(1)
AC-18 AC-1
IA-3 AC-18
IA-7 AC-18(1)
SC-7 IA-7
SC-8 SC-7(4)
SC-9 SC-8
SC-13 SC-8(1)
SC-16 SC-13
SC-23 SC-23
SI-8 SC-28
SC-28(1)
SI-8
SC-12
CM-2 CM-2 AR-1 Governance and

SA-2 CM-2(1) Privacy Program. TR-1
SA-4 CM-2(3) PRIVACY NOTICE. TR-3
CM-2(7) DISSEMINATION OF
CM-10(1) PRIVACY PROGRAM
CM-11 INFORMATION
SA-2
SA-4
SA-4(1)
CA-3 AC-6(9) AR-2 Privacy Impact and

RA-2 AC-21 Risk Assessment
RA-3 CA-3
MP-8 RA-2
PM-9 RA-3
SI-12 SI-12
AT-2 AT-2 AR-1 Governance and
AT-3 AT-3 Privacy Program
CA-1 AT-4
CA-5 CA-1
CA-6 CA-5
CA-7 CA-6
PM-10 CA-7
PM-1 AC-6(5) AR-1 Governance and

PM-2 Privacy Program
PM-3
PM-4
PM-5
PM-6
PM-7
PM-8
PM-9
PM-10
PM-11
CM-1 CM-1
PM-1
PM-11
AC-1 AC-1
AT-1 AT-1
AU-1 AU-1
CA-1 CA-1
CM-1 CM-1
IA-1 IA-1
IR-1 IR-1
MA-1 MA-1
MP-1 MP-1
MP-1 PE-1
PE-1 PL-1
PL-1 PS-1
PS-1 SA-1
SA-1 SC-1
SC-1 SI-1
SI-1
PL-4 PS-1
PS-1 PS-8
PS-8
CP-2 AC-1 AR-2 Privacy Impact and

RA-2 AT-1 Risk Assessment
RA-3 AU-1
CA-1
CM-1
CP-1
IA-1
IR-1
MA-1
MP-1
PE-1
PL-1
PS-1
RA-1
RA-3
SC-1
SI-1
AC-1 AC-1
AT-1 AT-1
AU-1 AU-1
CA-1 CA-1
CM-1 CM-1
CP-1 CP-1
IA-1 IA-1
IA-5 IA-5
IR-1 IA-5(1)
MA-1 IA-5(2)
MP-1 IA-5(3)
PE-1 IA-5(6)
PL-1 IA-5(7)
PM-1 IR-1
PS-1 MA-1
RA-1 MP-1
SA-1 PE-1
SC-1 PL-1
SI-1 PS-1
RA-1
SA-1
SC-1
SI-1
PL-5 RA-1
RA-2 RA-2
RA-3 RA-3
AC-4 AC-1 AR-2 Privacy Impact and

CA-2 AC-6(10) Risk Assessment
CA-6 AT-1
PM-9 AU-1
RA-1 CA-1
CA-6
CA-7
CM-1
PL-1
RA-1
RA-2
RA-3
SA-9(1)
SI-4
SI-4(2)
SI-4(4)
SI-4(5)
PS-4 PS-4
PS-2 PS-2
PS-3 PS-3
PS-3 (3)
PL-4 PS-1
PS-6 PS-2
PS-7 PS-6
PS-7
PS-4 PS-2
PS-5 PS-4
PS-
5
PS-6
PS-8
AC-17 AC-1
AC-18 AC-17
AC-19 AC-17 (1)
MP-2 AC-17 (2)
MP-4 AC-17 (3)
MP-6 AC-17 (4)
AC-18
AC-18 (1)
AC-19
MP-2
MP-4
MP-7
PL-4 PS- 6 DI-2 DATA INTEGRITY

PS-6 SA-9 AND DATA INTEGRITY
SA-9 SA-9 (1) BOARD
a. Documents processes
to ensure the integrity of
AT-3 PS-1 AR-1 GOVERNANCE
personally identifiable
PL-4 PS-2 AND PRIVACY
information (PII) through
PM-10 PS-6 PROGRAM
existing security controls;
PS-1 PS-7 Control:
and The organization:
PS-6 Supplemental
b. Establishes Guidance:
a Data
PS-7 The development and
Integrity Board when
implementation of a
AC-8 AC-8 appropriate to oversee
comprehensive
AC-20 AC-20 organizational Computer
governance and privacy
Matching Agreements123
PL-4 AC-20 (1) program demonstrates
AC-20 (2) and to ensure that those
organizational
agreements comply with
accountability for and
the computer matching
commitment
provisions of thethe
to Privacy
protection of individual
Act.
privacy. Accountability
begins with the
IP-1 CONSENT
appointment of an
a. Provides means, where
SAOP/CPO
feasible and with the
appropriate,
authority, mission,
for individuals to
resources,
authorize theand collection,
responsibility
use, maintaining,to develop
and
and implement
sharing a
of personally
multifaceted privacy
identifiable information
program. The
(PII) prior to its collection;
SAOP/CPO, in
b. Provides appropriate
consultation with legal
means for individuals to
counsel, information
AT-1 AT-1 AR-5 PRIVACY
AT-2 AT-2 AWARENESS AND
AT-3 AT-3 TRAINING
AT-4 AT-4 Control: The organization:
a. Develops, implements,
and updates a
comprehensive training
and awareness strategy
aimed at ensuring that
AT-2 AT-2 personnel
UL-1 understand
INTERNAL USE
AT-3 AT-3 privacy responsibilities
Control: The organization
AT-4 AT-4 and
usesprocedures;
personally
PL-4 b. Administers
identifiable basic
information
privacy
(PII) trainingonly for the
internally
[Assignment:
authorized purpose(s)
organization-defined
identified in the Privacy
AC-11 AC-1 frequency,
Act and/or inat public
least
MP-2 AC-2 (5) annually] and targeted,
notices.
MP-3 AC-11 role-based privacy
MP-4 AC-12 training for personnel
MP-1 having responsibility for
MP-2 personally identifiable
MP-3 information (PII) or for
MP-4 activities that involve PII
[Assignment:
AU-9 AC-17 (9) organization-defined
AU-11 AU-9 frequency, at least
AU-14 AU-9 (2) annually]; and
AU-9 (4) c. Ensures that personnel
certify (manually or
electronically) acceptance
of responsibilities for
privacy requirements
[Assignment:
organization-defined
frequency, at least
annually].
AC-1 AC-1
IA-1 AC-2 (9)
AC-2 (10)
AC-7
AC-10
AC-14
AC-17 (9)
CM-7 (5)
IA-1
IA-2 (11)
RA-5 (8)
CM-7
MA-3
MA-4 CM-7
MA-5 CM-7 (1)
CM-7 (5)
MA-3
MA-3 (1)
MA-3 (2)
MA-3 (3)
MA-4
MA-4 (2)
MA-5
IA-2 (5)
AC-1 AC-1
AC-2 AC-2 (1)
AC-5 AC-2 (2)
AC-6 AC-2 (3)
AU-1 AC-2 (4)
AU-6 AC-2 (7)
SI-1 AC-2 (9)
SI-4 AC-5
AC-6
AC-6 (1)
AC-6 (2)
AC-6 (9)
AC-6 (10)
AU-1
AU-2
AU-6
AU-6 (1)
AU-6 (3)
SI-4
SI-4 (2)
SI-4 (4)
SI-4 (5)
CM-5 AC-6 (5)

CM-6 CM-5
CM-5 (1)
CM-5 (5)
CA-3 AC-1 "FTC Fair Information

MA-4 AC-2 (5) Principles
RA-3 AC-21 Integrity/Security
AT-1 Security involves both
AU-1 managerial and technical
CA-1 measures to protect
CM-1 against loss and the
CP-1 unauthorized access,
IA-1 destruction, use, or
IA-4 disclosure of the data.(49)
IA-5 Managerial measures
IA-5 (1) include internal
IA-5 (2) organizational measures
IA-5 (3) that limit access to data
IA-5 (6) and ensure that those
IA-5 (7) individuals with access do
IA-8 not utilize the data for
IR-1 unauthorized purposes.
MA-1 Technical security
MP-1 measures to prevent
PE-1 unauthorized access
PL-1 include encryption in the
PS-1 transmission and storage
RA-1 of data; limits on access
RA-5 through use of
(8) passwords; and the
SA-1 storage of data on secure
SC-1 servers or computers . -
SI-1 http://www.ftc.gov/reports/
privacy3/fairinfo.shtm".
UL-2
INFORMATION
SHARING WITH THIRD
PARTIES
- "FTC Fair Information
Principles
Integrity/Security
Security involves both
managerial and technical
measures to protect
against loss and the
unauthorized access,
destruction, use, or
disclosure of the data.(49)
Managerial measures
include internal
organizational measures
that limit access to data
and ensure that those
individuals with access do
AC-3 AC-2 AP-1 The the
not utilize organization
data for
AC-5 AC-2 (9) determines
unauthorized andpurposes.
AC-6 AC-3 documents the legal
Technical security
IA-2 AC-5 authority
measuresthat permits the
to prevent
IA-4 AC-6 collection,
unauthorized use,access
IA-5 AC-6 (1) maintenance,
include encryptionand sharing
in the
IA-8 AC-6 (2) of personally and
transmission identifiable
storage
MA-5 IA-2 information (PII),
of data; limits either
on access
PS-6 IA-2 (1) generally
through use or in
of support of
SA-7 IA-2 (2) a specific program
passwords; and theor
SI-9 IA-2 (3) information system
storage of data need.
on secure
IA-2 (8) servers or computers . -
IA-4 http://www.ftc.gov/reports/
IA-4 (4) privacy3/fairinfo.shtm"
IA-5
IA-5 (1)
IA-5 (2)
IA-5 (3)
IA-5 (6)
IA-5 (7)
IA-8
MA-5
PS-3 (3)
PS-6
SI-7
AC-2 AC-2 (1)

AU-6 AC-2 (2)
PM-10 AC-2 (3)
PS-6 AC-2 (4)
PS-7 AC-2 (7)
AC-2 (9)
AC-6 (9)
AU-6
AU-6 (1)
AU-6 (3)
CM-7 (2)
PS-3 (3)
PS-6
PS-7
AC-2 AC-2 (1) "FTC Fair Information
PS-4 AC-2 (2) Principles
PS-5 AC-2 (3) Integrity/Security
AC-2 (4) Security involves both
AC-2 (7) managerial and technical
AC-2 (10) measures to protect
AC-6 (9) against loss and the
PS-4 unauthorized access,
PS-5 destruction, use, or
disclosure of the data.(49)
Managerial measures
AC-1 AC-1 include
"FTC Fair internal
Information
AC-2 AC-2 organizational
Principles measures
AC-3 AC-2 (10) that
Integrity/Securityto data
limit access
AC-11 AC-3 and ensure
Security that those
involves both
AU-2 AC-11 individuals
managerial and access
with technicaldo
AU-11 AC-11 (1) not utilize the
measures to protect data for
IA-1 AU-2 unauthorized
against loss and purposes.
the
IA-2 AU-2 (3) Technical security
unauthorized access,
IA-5 AU-11 measures
destruction, touse,
prevent
or
IA-6 IA-1 unauthorized
disclosure of the access
data.(49)
IA-8 IA-2 include
Managerial encryption
measures in the
SC-10 IA-2 (1) transmission
include internal and storage
IA-2 (2) of data; limits on
organizational access
measures
IA-2 (3) through use of
that limit access to data
IA-2 (8) passwords;
and ensure that and those
the
IA-5 storage
individuals of data
with on secure
access do
IA-5 (1) servers
not utilize the data for . -
or computers
IA-5 (2) http://www.ftc.gov/reports/
unauthorized purposes.
IA-5 (3) privacy3/fairinfo.shtm"
Technical security
IA-5 (6) measures to prevent
IA-5 (7) unauthorized access
IA-6 include encryption in the
IA-8 transmission and storage
SC-10 of data; limits on access
through use of
passwords; and the
storage of data on secure
AC-5 AC-6 servers or computers . -
AC-6 AC-6 (1) http://www.ftc.gov/reports/
CM-7 AC-6 (2) privacy3/fairinfo.shtm"
SC-3 CM-7
SC-19 CM-7 (1)
CM-7 (2)
CM-7 (5)
AU-1 AC-6 (10)
AU-2 AU-1
AU-3 AU-2
AU-4 AU-2 (3)
AU-5 AU-3
AU-6 AU-3 (1)
AU-7 AU-4
AU-9 AU-5
AU-11 AU-6
AU-12 AU-6 (1)
AU-14 AU-6 (3)
SI-4 AU-7
AU-7 (1)
AU-9
AU-9 (4)
AU-11
AU-12
PE-2
PE-3
RA-5 (8)
SC-18
SI-4
SI-4 (1)
SI-4 (2)
SI-4 (4)
SI-4 (5)
SI-7 (7)
SA-10 (1)
AU-1 AU-1
AU-8 AU-7 (1)
AU-8
SA-4 SA-4
SA-4 (1)
-
SC-7 AC-4 (21)
CA-3
CA-3 (3)
CA-3 (5)
CA-9
CM-7
CM-7 (1)
CM-7 (2)
SC-7
SC-7 (3)
SC-7 (4)
SC-7 (5)
SC-7 (7)
SC-7 (8)
SC-7 (12)
SC-7 (13)
SC-7 (18)
SC-20
SC-21
SC-22
SC-2 AC-4 (21)

SC-2
AC-4 AC-4
SC-2 CA-3
SC-3 CA-3 (3)
SC-7 CA-3 (5)
CA-9
SC-2
SC-7
SC-7 (3)
SC-7 (4)
SC-7 (5)
SC-7 (7)
SC-7 (8)
SC-7 (12)
SC-7 (13)
SC-7 (18)
SC-39
CA-3
AC-6 (5)
AC-1 AC-1
AC-18 AC-18
CM-6 AC-18 (1)
PE-4 CA-3
SC-3 CA-3 (3)
SC-7 CA-3 (5)
CM-6
CM-6 (1)
PE-4
RA-5 (8)
SC-7
SC-7 (3)
SC-7 (4)
SC-7 (5)
SC-7 (7)
SC-7 (8)
SC-7 (12)
SC-7 (13)
SC-7 (18)
SI-7
CA-3
CA-3 (3)
CA-3 (5)
CA-9
RA-5 (8)
SI-4 (1)
MP-7
MP-7 (1)
AC-19 (5)
AT-5 IR-6
IR-6 IR-6 (1)
SI-5 IR-9
SI-5
IR-9 (1)
IR-1 IR-1 IP-4 COMPLAINT

IR-2 IR-2 MANAGEMENT. SE-2
IR-3 IR-3 PRIVACY INCIDENT
IR-4 IR-4 RESPONSE
IR-5 IR-4 (1)
IR-7 IR-5
IR-8 IR-7
IR-7 (1)
IR-7 (2)
IR-8
IR-9
IR-2 IR-9
AC-6(1)
(10) IP-4 COMPLAINT
IR-6 IR-9
IR-2 (3) MANAGEMENT. SE-2
IR-7 IR-6 PRIVACY INCIDENT
SI-4 IR-6 (1) RESPONSE
SI-5 IR-7
IR-7 (1)
IR-7 (2)
IR-9
IR-9 (1)
SI-4
SI-4 (2)
SI-4 (4)
SI-4 (5)
SI-5
AU-6 AU-6
AU-7 AU-6 (1)
AU-9 AU-6 (3)
AU-11 AU-7
IR-5 AU-7 (1)
IR-7 AU-9
IR-8 AU-9 (2)
AU-11
IR-5
IR-7
IR-7 (1)
IR-7 (2)
IR-8
IR-9
IR-9 (3)
MP-5
MP-5(4)
SI-7
IR-4 IR-4
IR-5 IR-4 (1)
IR-8 IR-5
IR-8
IR-9
IR-9 (3)
SI-7 (7)
SC-20 CA-3
SC-21 CP-6
SC-22 CP-6 (1)
SC-23 CP-6(3)
SC-24 CP-7
CP-7(1)
CP-7(2)
CP-7(3)
CP-8
CP-8(1)
CP-8(2)
SA-4(9)
SA-9
SA-9(1)
SA-9(2)
CA-3 CA-3
MP-5 MP-5
PS-7 MP-5 (4)
SA-6 PS-7
SA-7 SA-9
SA-9 SA-9(1)
S-9(4)
SA-9(5)
SI-7
CA-3 CA-3
SA-9 SA-9
SA-12 SA-9(1)
SC-7 SC-7
SC-7(3)
SC-7(4)
SC-7(5)
SC-7(7)
SC-7(8)
SC-7(12)
SC-7(13)
SC-7(18)
SA-7 AC-6(10)
SC-5 RA-5(5)
SI-3 RA-5(8)
SI-5 SC-5
SI-7 SI-3
SI-8 SI-3(1)
SI-3(2)
SI-5
SI-7
SI-7(1)
CM-3 SI-8
CA-8
CM-4 CM-3
CP-10 CM-4
RA-5 RA-5
SA-7 RA-5(1)
SI-1 RA-5(2)
SI-2 RA-5(3)
SI-5 RA-5(5)
RA-5(6)
SA-11(2)
SI-1
SI-2
SI-2(2)
SI-2(3)
SI-4
SI-5
SI-7(7)
SC-18 CA-9
RA-5(5)
ndidate Mapping
NZISM ODCA UM: PA R2.0 PCI DSS v2.0
PA ID PA level
14.5 PA17 SGP 6.5
14.6 PA31 BSGP
9.2
14.5 PA25 GP 6.3.1
14.6 6.3.2
16.5 PA20 GP 2.3

16.8 PA25 P 3.4.1
17.4 PA29 SGP 4.1
4.1.1
6.1
6.3.2a
6.5c
8.3
10.5.5
11.5
5.1, 5.3, 5.4 PA15 SGP 2.1.2.b
6.1 PA18 GP 11.2

11.3
6.6
12.1.2.b
1.2 3.1.1
2.2 3.1
3.3
5.2
6.4 12.9.1
12.9.3
12.9.4
12.9.6
4.4 PA15 SGP 12.9.2
5.2(time limit)
6.3(whenever change occurs)
10.1 PA15 SGP

10.2
10.3
10.4
10.5
10.6
10.5 12.1
13.5 12.2
17.1 12.3
12.4
8.1 PA15 SGP

8.4
8.1 PA15 SGP 9.1.3

9.5
9.6
9.9
9.9.1
3.3 PA8 BSGP

12.1 PA15 SGP
12.5
14.5 (software)
8.1 PA15 SGP
8.2
8.3
8.4
6.4 PA8 BSGP

PA15 SGP
12.1
12.2
12.3
12.4
6.4 PA10 BSGP 3.1

13.1 PA29 SGP 3.1.1
3.2
9.9.1
9.5
9.6
10.7
12.1 6.3.2
2.2 PA17 SGP 3.6.7

4.1 6.4.5.2
7.1.3
8.5.1
9.1
9.1.2
9.2b
9.3.1
10.5.2
11.5
12.3.1
12.3.3
12.1 1.1.1
14.1 6.1
14.2 6.4
14.1
12.1 PA14 SGP 1.1.1
12.4 6.3.2
6.4
6.1
PA10 SGP 9.7.1

9.10
12.3
PA25 GP 2.1.1
PA21 GP 4.1
PA5 BSGP 4.1.1
4.2
13.1 9.5
9.6
9.7.1
9.7.2
9.10
17.8 6.4.3
3.4
13.4 PA10 BSGP 3.1.1
13.5 PA39 SGP 9.10
PA34 SGP 9.10.1
PA40 SGP 9.10.2
3.1
12.3
PA4
PA8
PA37
PA38
BSGP
BSGP
SGP
SGP
8.1 PA4 BSGP 9.1
8.2 9.1.1
9.1.2
9.1.3
9.2
PA22 GP
PA33 SGP
12.5 PA4 BSGP 9.8

19.1 9.9
9.10
12.6 PA4 BSGP 9.9.1

12.3.3
12.3.4
4.2 PA4 BSGP 9.1
8.1
8.2 PA4 BSGP

8.1
8.1 PA4 BSGP 9.8

8.2 9.9
8.3
8.4
8.1 PA4 BSGP 9.1

8.2 PA13 SGP
PA24 P
PA36
16.2 PA36 3.4.1
3.5
3.5.1
3.5.2
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
16.1 PA25 GP 2.1.1
3.4
3.4.1
4.1
4.1.1
4.2
4.4 1.1
5.1 1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
2.2
2.2.1
2.2.2
2.2.3
2.2.4
3.3 PA10 BSGP 12.1

4.3 PA18 GP 12.1.2
8.4
3.2 12.6.1
12.6.2
4.1 PA8 BSGP 12.1

12.2
4.1 12.5
4.2 PA30 BSGP 12.1

4.3 12.2
4.4
4.5
4.3 12.1.3
4.1 12.1.3
6.1
1.1 PA2 BSGP 12.1.2
3.3 PA15 SGP
5.1
5.2
5.3
5.4
7.1
12.2
17.7
18.1
18.3
3.2 (responsibility) 12.1.2

3.3
3.4
4.1
4.3
5.2 (residual Risk)
2.2
9.29 PA27 BSGP 12.7

12.8.3
9.2 PA27 BSGP 12.4

12.8.2
PA27 BSGP
19.1 PA33 SGP 9.7

19.2 PA34 SGP 9.7.2
19.3 9.8
9.9
11.1
12.3
PA7 BSGP 12.8.2

12.8.3
12.8.4
2.2 PA9 BSGP

PA24
2.2 12.3.5
5.2
4.2
9.1 PA28 BSGP 12.6
12.6.1
12.6.2
9.1 8.5.7
12.6.1
8.1
15.4 10.5.5
15.1 3.5.1
15.2 8.5.1
12.5.4
15.4 9.1.2
3.0 PA24 P 6.4.2
3.1
3.2
3.3
3.4
3.5
9.4 6.4.1
14.1 6.4.2
14.2
19.1
2.2 12.8.1
4.3 12.8.2
12.8.3
12.8.4
3.2
9.2
15.2
9.2 PA24 GP 7.1

15.2 7.1.1
7.1.2
7.1.3
7.2.1
7.2.2
8.5.1
12.5.4
9.2
9.2 8.5.4
8.5.5
15.1 PA9 BSGP 8.1

15.2 PA6 BSGP 8.2,
PA24 P 8.3
PA22 GP 8.4
8.5
10.1,
12.2,
12.3.8
12.2 7.1.2
14.2
17.6 PA11 BSGP 10.1
PA12 SGP 10.2
PA13 SGP 10.3
PA24 P 10.5
10.6
10.7
11.4
12.5.2
12.9.5
PA35 GP
10.4
3.3 PA16 SGP
PA36
17.1 PA3 BSGP 1.1
17.2 PA5 BSGP 1.1.2
PA16 SGP 1.1.3
PA19 GP 1.1.5
PA18 SGP 1.1.6
1.2
1.2.1
2.2.2
2.2.3
14.5 PA3 BSGP 6.4.1

6.4.2
17.6 PA3 BSGP 1.1

18.1 PA5 BSGP 1.2
18.4 PA16 SGP 1.2.1
PA20 GP 1.3
1.4
11.1 PA3 BSGP 1.2.3
17.3 PA6 BSGP 2.1.1
PA16 SGP 4.1
PA20 GP 4.1.1
PA25 P 11.1
PA32 BSGP 9.1.3
PA33 SGP
PA32 BSGP
PA34 SGP
3.2 11.1.e
12.5.3
12.9
4.1 PA8 BSGP 12.9

4.2 PA11 12.9.1
4.6 12.9.2
7.1 12.9.3
12.9.4
12.9.5
12.9.6
7.2 PA8 BSGP 12.5.2

12.5.3
7.3 PA11 BSGP
7.2 PA11 BSGP 12.9.6

7.3
17.1 PA3 BSGP

PA8 BSGP
PA16 SGP
2.4
12.8.2
5.2
2.2
2.4
12.8.2
12.8.3
12.8.4
Appendix A
5.4
5.1
5.1.1
5.2
14.1
17.6 PA1 BSGP
2.2
6.1
6.2
6.3.2
6.4.5
6.5
6.6
11.2
11.2.1
11.2.2
11.2.3
12.4 PA2
14.1 PA8 BSGP
3
3.1
3.2
3.3
3.4
3.5
PCI DSS v3.0
6, 6.5
4.1.1, 4.2, 4.3

6.3.1
6.3.2
2.3
3.4.1
4.1
4.1.1
6.1
6.3.2a
6.5c, 7.1, 7.2, 7.3, 8.1,
8.2, 8.3, 8.4, 8.5, 8.6, 8.7,
8.8
10.5.5, 10.8
11.5, 11.6
11.2
11.3
6.3.2, 6.6
11.2.1, 11.2.2, 11.2.3,
11.3.1, 11.3.2, 12.1.2.b,
12.8.4
3.1
12.9.1
12.9.3
12.9.4
12.9.6
12.9.2, 12.10.2
4.1, 4.1.1, 9.1, 9.2
1.1.2, 1.1.3, 2.2, 12.3

12.6
3.5.2, 3.6.3, 3.7,

5.1, 5.2, 5.3,
6.1, 6.2,
7.1, 7.2,
9.1, 9.2, 9.3, 9.4, 9.5, 9.6,
9.7, 9.8, 9.9,
12.2
9.1.3
9.5
9.6
9.9
9.9.1, 12.2
10.8, 11.6
4.3, 10.8,
11.1.2,
12.1
12.2
12.3
12.4
12.5, 12.5.3,
12.6, 12.6.2,
12.10
3.1
3.1.a
3.2
9.9.1
9.5. 9.5.1
9.6. 9.7, 9.8
10.7, 12.10.1
6.3.2, 12.3.4
2.1, 2.2.4, 2.3, 2.5

3.3, 3.4, 3.6
4.1, 4.2
6.3.1, 6.3.2, 6.4.2, 6.4.3,
6.4.4, 6.4.5.2
6.7
7.1, 7.1.3, 7.1.4
8.3, 8.5.1, 8.7
9.1
9.1.2
9.2
10.5
11.5
12.3
12.8
6.1
6.2
6.3
6.4
6.5
6.6
6.7
1.3.3
2.1, 2.2.2
3.6
4.1
5.1, 5.2, 5.3, 5.4
6.2
7.1
9.1
9.1.1
9.1.2
9.1.3
9.2
9.3
9.4
9.4.1
9.4.2
9.4.3
10.1, 10.2, 10.3, 10.4,
10.5, 10.6, 10.7
11.1, 11.4, 11.5
12.3
1.1.1
6.3.2
6.4.5
3.1
9.6.1, 9.7.1
9.10
12.3
1.1.3
12.3.3
2.1.1
3.1
4.1
4.1.1
4.2
9.5, 9.5.1
9.6
9.7
9.8
9.9
6.4.3
3.7
12.5.5
12.10.4
3.1.1
9.8, 9.8.1, 9.8.2, 3.1
9.7.1
9.9
9.9.1
9.1
9.1.1
9.1.2, 9.1.3
9.2, 9.3, 9.4, 9.4.1, 9.4.2,
9.4.3, 9.4.4
9.6.3
9.8, 9.8.1, 9.8.2

12.3
9.1
9.1.1
9.1.2
9.2
9.3
9.4
9.4.1
9.4.2
9.4.3
9.4.4
9.1
9.1.1
9.1.3
9.1
9.1.1
9.1.2
9.2
9.3
9.4
9.1
9.4.1
9.1.1
9.4.2
9.1.2
9.4.3
9.2
9.4.4
9.3
9.5
9.4
9.5.1
9.4.1
9.4.2
9.4.3
9.4.4
9.5 7.1.3
3.5,
9.5.1
8.1
8.1.1
8.2.2
8.5
8.5.1
3.4.1
3.5
3.5.1
3.5.2
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8,
4.1
6.5.3
8.2.1
8.2.2
2.1.1
2.3
3.3
3.4
3.4.1
4.1
4.1.1
4.2
4.3
6.5.3
6.5.4
8.2.1
3.5.2, 3.5.3
3.6.1, 3.6.3
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
2.2
2.2.1
2.2.2
2.2.3
2.2.4
12.2
12.6, 7.3, 8.8, 9.10
12.1
12.2
12.4
7.3, 8.8, 9.10, 12.1

12.2
12.2
12.1.1
12.2
12.2
9.3
12.7
12.8.3
11.1
12.3
12.8.5
12.3
12.6
12.4
8.1.8
10.5
7.1.2
7.1.4
7.2
8.1
8.1.5
8.5
3.5.1, 7.0
8.0
12.5.4
1.2.2
7.1
7.1.2
7.1.3
7.2
7.2.3
9.1.2
9.1.3
7.3
8.8
9.10
6.4.2, 7.3
8.8
9.10
6.4.1
6.4.2, 7.1
7.1.1
7.1.2
7.1.3
7.1.4
12.8
7.2
12.2
7.2.2
7.3
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.2
7.1
7.1.1
7.1.2
7.1.3
7.1.4
12.5.4
8.1.4
8.1.3
8.1.4
8.1.5, 12.5.4
8.0
10.1,
12.3
5.0
7.1
7.1.2
7.2
10.1
10.2
10.3
10.4
10.5
10.6
10.7, 10.8
11.4, 11.5, 11.6
12.5.2
10.5.5, 12.10.5
10.4
6.1
1.1
1.1.2
1.1.3
1.1.5
1.1.6
1.2
1.2.1
1.2.2
1.2.3
1.3
2.2.2
2.2.3
2.2.4
2.5
4.1
2.1
2.2
2.5
5.1
6.4.1
6.4.2
1.1
1.2
1.2.1
1.2.3
1.3
1.4
2.1.1
2.2.3
2.2.4
2.3
4.1
3.5.1, 3.6.6
1.2.3
2.1.1
4.1
4.1.1
11.1, 11.1.a, 11.1.b, 11.1.c, 11.1.d, 11.1.1, 11.1.2
9.1.3
4.1
4.1.1
4.3
4.1
12.5.3
12.10.1
12.1
12.10.1
12.1.1
2.4
12.8.2
12.8.4
2.4
12.8.2
12.8.3
12.8.4
Appendix A
1.4, 5.0
2.2
6.1
6.2
6.3.2
6.4.5
6.5
6.6
11.2
11.2.1
11.2.2
11.2.3
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
Access Control (AC) 1

AC-1 Access Control Policy and Procedures X X AC-1.b.1 [at least every 3 years] AIS-4
AC-1.b.2 [at least annually] DSI-04
DSI-03
AAC-03
DCS-04
EKM-03
GRM-06
GRM-08
GRM-09
GRM-11
HRS-05
HRS-11
IAM-02
IAM-05
IAM-07
IAM-12
IVS-12
AC-2 Account Management X X AC-2j [at least annually] AIS-03 (see Note: these areas implied
note) by previous mappings to SI-
IAM-09 (see 9 which has been
note) incorporated by NIST into
IAM-12 AC-2, AC-3, AC-5, AC-6
AC-2 (1) Account Management | Automated System Account Management X IAM-05

IAM-10
IAM-11
AC-2 (2) Account Management | Removal of Temporary / Emergency Accounts X [No more than 30 days for temporary and IAM-05
emergency account types] IAM-10
IAM-11
AC-2 (3) Account Management | Disable Inactive Accounts X [90 days for user accounts] Requirement: The service provider IAM-05
defines the time period for non- IAM-11
user accounts (e.g., accounts IAM-10
associated with devices). The time
periods are approved and
accepted by the Authorizing
Official.
AC-2 (4) Account Management | Automated Audit Actions X IAM-05

IAM-10
IAM-11
AC-2 (5) Account Management | Inactivity Logout X HRS-11

IAM-07
This activitiy is usually

associated with clear/clean
desk policies - taking into
account that for certain
organizations this will be
their responsibility as
opposed to the Service
Provider's responsibility.
Under third-party access
this would be a
requirement that should be
outlined based on the
information exchanged
during SLAs.
AC-2 (7) Account Management | Role-Based Schemes X IAM-05
IAM-10
IAM-11
AC-2 (9) Account Management | Restrictions on Use of Shared Groups / Accounts X Required if shared/group accounts IAM-02
are deployed IAM-05
IAM-09
IAM-10 Appears to combine
components of seperation
of duty and principle of
least priviledge.
Proper documentation such

as policies should exist to
define proper use.
AC-2 (10) Account Management | Shared / Group Account Credential Termination X Required if shared/group accounts IAM-02
are deployed IAM-11
IAM-12
Apprehensive about
including IAM-10 as it does
not specifically state
revokation of credentials,
only reauthorization.
Removed
AssociatedIAM-10 2/3/15
with access
(BC)
outside of normal service
AC-2 (12) Account Management | Account Monitoring / Atypical Usage X AC-2 (12)(a) and AC-2 (12)(b) No CCM NIST control operations hours although
Additional FedRAMP Requirements Mapping has finer addressed ambiguously in
and Guidance: Required for Identified granularity certain areas of the CCM
privileged accounts. could be associated with
IAM-02 and IAM-09
AC-3 Access Enforcement X X AIS-03 (see Note: these areas implied
IAM-09 9 which has been
IAM-12 incorporated by NIST into
AC-2, AC-3, AC-5, AC-6
AC-4 Information Flow Enforcement X AIS-04

IVS-09
DSI-01
AC-4 (21) Information Flow Enforcement | Physical / Logical Separation of Information X DSI-05 Regarding seperation of
Flows DSI-06 environments.
DSI-07
IVS-06
IVS-08
AC-5 Separation of Duties X AIS-03 (see Note: these areas implied

AC-2, AC-3, AC-5, AC-6
AC-6 Least Privilege X AIS-03 (see Note: these areas implied

IAM-13 AC-2, AC-3, AC-5, AC-6
AC-6 (1) Least Privilege | Authorize Access to Security Functions X IAM-05

IAM-09
IAM-13
AC-6 (2) Least Privilege | Non-Privileged Access For No security Functions X [all security functions] AC-6 (2). Guidance: Examples of IAM-05
security functions include but are IAM-09
not limited to: establishing system IAM-13
accounts, configuring access
authorizations (i.e., permissions,
privileges), setting events to be
audited, and setting intrusion
detection parameters, system
programming, system and security
administration, other privileged
AC-6 (5) Least Privilege | Privileged Accounts X functions. BCR-04
GRM-04
IAM-06 Associated with logical
IVS-11 access reviews of
adminitrative or other
access and timely remova of
such access.
AC-6 (9) Least Privilege | Auditing Use of Privileged Functions X GRM-02
IAM-05
IAM-10 Associated with logical
IAM-11 access reviews of
adminitrative or other
access and timely removal
of such access.
AC-6 (10) Least Privilege | Prohibit Non-privileged Users from Executing Privileged X AIS-03 Implied from previous
Functions CCC-04 mappings to SI-3 (3) and SI-
GRM-11 4 (6) which NIST has
IAM-05 incorporated into AC-6 (10)
IVS-01
SEF-03
TVM-01
AC-7 Unsuccessful Logon Attempts X X AC-7a [not more than three] IAM-02
[fifteen minutes]
AC-7b [locks the account/node for thirty

minutes]
AC-8 System Use Notification X X Parameter: See Additional Requirements and Requirement: The service provider HRS-08
Guidance. shall determine elements of the
cloud environment that require
the System Use Notification
control. The elements of the cloud
environment that require System
Use Notification are approved and
Official (AO).
Requirement: The service provider
shall determine how System Use
Notification is going to be verified
and provide appropriate
periodicity of the check. The
System Use Notification
verification and periodicity are
approved and accepted by the AO.
Guidance: If performed as part of a
Configuration Baseline check, then
the % of items requiring setting
that are checked and that pass (or
fail) check can be provided.
Requirement: If not performed as
part of a Configuration Baseline
check, then there must be
AC-10 Concurrent Session Control X [three (3) sessions for privileged access and documented agreement on how to IAM-02
two (2) sessions for non-privileged access] provide results of verification and
the necessary periodicity of the
verification by the service provider.
AC-11 Session Lock X AC-11a. [fifteen minutes] The documented agreement on HRS-11
how to provide verification of the IAM-12
results are approved and accepted
AC-11 (1) Session Lock | Pattern-Hiding Displays X by the AO. IAM-12
AC-12 Session Termination X HRS-11
Control addresses
appropriate session
termination.
AC-14 Permitted Actions Without Identification or Authentication X X IAM-02
AC-17 Remote Access X X HRS-05
DCS-04
AC-17 (1) Remote Access | Automated Monitoring / Control X HRS-05
DCS-04
AC-17 (2) Remote Access | Protection of Confidentiality / Integrity Using Encryption X HRS-05
DCS-04
AC-17 (3) Remote Access | Managed Access Control Points X HRS-05
DCS-04
AC-17 (4) Remote Access | Privileged Commands / Access X HRS-05
DCS-04
AC-17 (9) Remote Access | Disconnect / Disable Access X [no greater than 15 minutes] IAM-01 IAM-01 and IAM-02 are
IAM-02 applicable provided policies
and other documentation
specifically state the
limitations for session
termination for logical
remote access.
AC-18 Wireless Access X X EKM-03

HRS-05
IVS-12
AC-18 (1) Wireless Access | Authentication and Encryption X EKM-03

HRS-05
IVS-12
AC-19 Access Control For Mobile Devices X X HRS-05

AC-19 (5) Access Control For Mobile Devices | Full Device / Container-Based X MOS-11 Direct mapping to MOS-11
Encryption as the conrol specifically
calls for device encryption
where any sensitive
information can be
accessed via the mobile
device. Partial mapping to
MOS-14 due to the
implication of technical
controls, which can be
inclusive of device
encryption. Removed
mapping to MOS-14 2/3/15
(BC)
AC-20 Use of External Information Systems X X HRS-08

AC-20 (1) Use of External Information Systems | Limits on Authorized Use X HRS-08
AC-20 (2) Use of External Information Systems | Portable Storage Devices X HRS-08
AC-21 Information Sharing X GRM-02
IAM-07
AC-22 Publicly Accessible Content X X AC-22d. [at least quarterly] DSI-03
Awareness and Training (AT) 1

AT-1 Security Awareness and Training Policy and Procedures X X AT-1.b.1 [at least every 3 years] AAC-03
AT-1.b.2 [at least annually] GRM-06
GRM-08
GRM-09
GRM-11
HRS-09
IAM-07
AT-2 Security Awareness Training X X AT-2. [Assignment: organization-defined GRM-03

frequency] HRS-09
HRS-10
Parameter: [at least annually]
AT-2 (2) Security Awareness | Insider Threat X No CCM NIST control HRS-09 and HRS-10
Mapping has finer describe requirements for
Identified granularity Security Awareness Training
but no specfic reference to
insider threats
AT-3 Role-Based Security Training X X AT-3c. [Assignment: organization-defined GRM-03

frequency] HRS-09
HRS-10
Parameter: [at least annually]
AT-4 Security Training Records X X AT-4b. [Assignment: organization-defined GRM-03

frequency] HRS-09
HRS-10
Parameter: [At least one years]
Audit and Accountability (AU) 0

AU-1 Audit and Accountability Policy and Procedures X X AU-1.b.1 [at least every 3 years] AAC-03
AU-1.b.2 [at least annually] GRM-06
GRM-08
GRM-09
GRM-11
IAM-05
IAM-07
IVS-01
IVS-03
AU-2 Audit Events X X AU-2a. [Successful and unsuccessful account IAM-05

logon events, account management events, IAM-12
object access, policy change, privilege IVS-01
functions, process tracking, and system events.
For Web applications: all administrator activity,
authentication checks, authorization checks,
data deletions, data access, data changes, and
permission changes];
AU-2d. [organization-defined subset of the
auditable events defined in AU-2 a. to be
audited continually for each identified event].
AU-2 (3) Audit Events | Reviews and Updates X AU-2 (3). [Assignment: organization-defined Guidance: Annually or whenever IAM-12
frequency] changes in the threat environment IVS-01
are communicated to the service
Parameter: [annually or whenever there is a provider by the Authorizing
change in the threat environment] Official.
AU-3 Content of Audit Records X X IVS-01

AU-3 (1) Content of Audit Records | Additional Audit Information X AU-3 (1). [Assignment: organization-defined AU-3 (1). Requirement: The service IVS-01
additional, more detailed information] provider defines audit record
Parameter: types. The audit record types are
[session, connection, transaction, or activity approved and accepted by the
duration; for client-server transactions, the Authorizing Official.
number of bytes received and bytes sent; Guidance: For client-server
additional informational messages to diagnose transactions, the number of bytes
or identify the event; characteristics that sent and received gives
describe or identify the object or resource bidirectional transfer information
being acted upon] that can be helpful during an
investigation or inquiry.
AU-4 Audit Storage Capacity X X IVS-01
AU-5 Response to Audit Processing Failures X X AU-5b. [Assignment: Organization-defined IVS-01
actions to be taken]
Parameter: [low-impact: overwrite oldest audit

records; moderate-impact: shut down]
AU-6 Audit Review, Analysis, and Reporting X X AU-6a. [Assignment: organization-defined IAM-05
frequency] IAM-10
IVS-01
Parameter: [at least weekly] SEF-04
AU-6 (1) Audit Review, Analysis, and Reporting | Process Integration X IAM-05
IAM-10
IVS-01
SEF-04
AU-6 (3) Audit Review, Analysis, and Reporting | Correlate Audit Repositories X IAM-05
IAM-10
IVS-01
SEF-04
AU-7 Audit Reduction and Report Generation X IVS-01

SEF-04
AU-7 (1) Audit Reduction and Report Generation | Automatic Processing X IVS-01
SEF-04
AU-8 Time Stamps X X IVS-03
AU-8 (1) Time Stamps | Synchronization With Authoritative Time Source X AU-8 (1). [http://tf.nist.gov/tf-cgi/servers.cgi] AU-8 (1). Requirement: The service IVS-03
<At least hourly> provider selects primary and
secondary time servers used by the
NIST Internet time service. The
secondary server is selected from a
different geographic region than
the primary server.
synchronizes the system clocks of
network computers that run
operating systems other than
Windows to the Windows Server
Domain Controller emulator or to
the same time source for that
server.
Guidance: Synchronization of
system clocks improves the
accuracy of log analysis.
AU-9 Protection of Audit Information X X IAM-01

IVS-01
SEF-04
AU-9 (2) Protection of Audit Information | Audit Backup on Separate Physical Systems X AU-9 (2). [at least weekly] IAM-01
/ Components SEF-04
AU-9 (4) Protection of Audit Information | Access by Subset of Privileged Users X IAM-01 Direct Mapping:
IVS-01 IAM-01: specifies restricted
access to audit tools
IVS-01: specifies higher
levels of assurance for
protection of audit logs
AU-11 Audit Record Retention X X AU-11. [at least ninety days] AU-11. Requirement: The service IAM-12
provider retains audit records on- IVS-01
line for at least ninety days and SEF-04
further preserves audit records off-
line for a period that is in
accordance with NARA
requirements.
AU-12 Audit Generation X X AU-12a. [all information system and network IVS-01
components where audit capability is
deployed/available]
Security Assessment and Authorization (CA) 4

CA-1 Security Assessment and Authorization Policies and Procedures X X CA-1.b.1 [at least every 3 years] AIS-02
CA-1.b.2 [at least annually] AAC-02
AAC-03
CCC-01
CCC-05
GRM-03
GRM-06
GRM-08
GRM-09
GRM-11
IAM-07
CA-2 Security Assessments X X CA-2b. [at least annually] AAC-01

CA-2d[individuals or roles to include FedRAMP AAC-02
PMO]
CA-2 (1) Security Assessments | Independent Assessors X X Added to NIST Baseline for "Low" FedRAMP For JAB Authorization, must be an AAC-01
baseline. accredited 3PAO AAC-02
CA-2 (2) Security Assessments | Specialized Assessments X [at least annually] Requirement: To include No CCM Possible CCM states - "Policies and
'announced', 'vulnerability Mapping Mapping to procedures shall be
scanning' Identified TVM-02 established, and supporting
processes and technical
measures implemented, for
timely detection of
vulnerabilities within
organizationally-owned or
managed applications,
infrastructure network and
system components (e.g.
network vulnerability
assessment, penetration
testing) to ensure the
efficiency of implemented
security controls." NIST
states - "Organizations can
employ information system
monitoring, insider threat
assessments, malicious user
testing, and other forms of
testing (e.g., verification
and validation) to improve
readiness by exercising
organizational capabilities
and indicating
current performance levels
as a means of focusing
actions to improve security.
Organizations conduct
assessment activities in
accordance with applicable
federal laws, Executive
Orders, directives, policies,
regulations, and standards.
Authorizing officials
approve the assessment
methods in coordination
with the organizational risk
executive function.
Organizations can
incorporate vulnerabilities
uncovered during
assessments into
vulnerability remediation
processes." Related control
to CA-2 (2) is: SI-2. SI-2 is
mapped to TVM-02 in this
doc. I think this is a good
direct mapping. (JPM)
CA-2 (3) Security Assessments | External Organizations X [Any FedRAMP Accredited 3PAO] [the No CCM Not clear what In the CCM there is no
conditions of a P-ATO in the FedRAMP Mapping control is reference of guidance in
Repository] Identified being defined external organizations
by NIST - assessments, meaning
circular "reciprocity".
definition NIST states - "Supplemental
HSTA - Guidance: Organizations
possible may often rely on
mapping to assessments of specific
STA-05 information systems by
other (external)
organizations. Utilizing such
existing assessments (i.e.,
reusing
existing assessment
evidence) can significantly
decrease the time and
resources required for
organizational assessments
by limiting the amount of
independent assessment
activities that organizations
need to perform. The
factors that organizations
may consider in
determining whether to
accept assessment results
from external organizations
can vary. Determinations
for accepting assessment
results can be based on, for
example, past assessment
experiences one
organization has had with
another organization, the
reputation that
organizations have with
regard to assessments, the
level of detail of supporting
assessment documentation
provided, or
CA-3 System Interconnections X X CA-3c. 3 Years / Annually and on input from GRM-02
FedRAMP IVS-06
IVS-09
IVS-10
IVS-12
IVS-13
STA-03
STA-05
STA-09
CA-3 (3) System Interconnections | Unclassified Non-National Security System X Boundary Protections which meet the Trusted CA-3(3) Guidance: Refer to IVS-06 Finer In the CCM there is no
Connections Internet Connection (TIC) requirements Appendix H – Cloud Considerations IVS-09 granularity of reference of unclassified
of the TIC 2.0 Reference IVS-12 NIST conrol networks and
Architecture document. IVS-13 included in interconnections to Non-
broader CCM National systems.
definition NIST states -
"Organizations typically do
not have control over
external networks (e.g., the
Internet). Approved
boundary protection
devices (e.g., routers,
firewalls) mediate
communications (i.e.,
information flows) between
unclassified non-national
security systems and
external networks. This
control enhancement is
required for organizations
processing, storing, or
transmitting Controlled
Unclassified Information
(CUI)." (JPM)
CA-3 (5) System Interconnections | Restrictions on External Network Connections X For JAB Authorization, CSPs shall IVS-06 In the CCM there is no
include details of this control in IVS-09 reference of blacklisting and
their Architecture Briefing IVS-12 whitelisting of systems for
IVS-13 external connections.
NIST states - "
Organizations can constrain
information system
connectivity to external
domains (e.g., websites) by
employing one of two
policies with regard to such
connectivity: (i) allow-all,
deny by exception, also
known as blacklisting (the
weaker of the two policies);
or (ii) deny-all, allow by
exception, also known as
whitelisting (the stronger of
the two policies). For either
policy, organizations
determine what exceptions,
if any, are acceptable."
(JPM)
CA-5 Plan of Action and Milestones X X CA-5b. [at least monthly] CA-5 Guidance: Requirement: AIS-02
POA&Ms must be provided at GRM-03
least monthly.
CA-6 Security Authorization X X CA-6c. [at least every three years or when a CA-6c. Guidance: Significant AIS-02
significant change occurs] change is defined in NIST Special AAC-02
Publication 800-37 Revision 1, CCC-05
Appendix F. The service provider GRM-03
describes the types of changes to GRM-11
the information system or the
environment of operations that
would impact the risk posture. The
types of changes are approved and
Official.
CA-7 Continuous Monitoring X X CA-7d. [To meet Federal and FedRAMP Operating System Scans: at least AAC-01
requirements] monthly CCC-05
Database and Web Application GRM-03
Scans: at least monthly GRM-11
All scans performed by
Independent Assessor: at least
annually
CA-7 Guidance: CSPs must provide
evidence of closure and
remediation of high vulnerabilities
within the timeframe for standard
POA&M updates.
CA-7 (1) Continuous Monitoring | Independent Assessment X No CCM Specific In the CCM there is no
Mapping requirement reference of Independent
Identified not defined in Assessments on a
CCM continuous monitoring
bases.
CCM AAC-02
states - Independent
assessments have to occur
at least yearly.
"Independent reviews and
assessments shall be
performed at least annually
to ensure that the
organization addresses
nonconformities of
established policies,
standards, procedures, and
compliance obligations."
(JPM)
Could this be clarified using
a new CAIQ question?
CA-8 Penetration Testing X [at least annually] AAC-02 Implied from previous
TVM-02 mapping to RA-5(9) which
NIST has incorporated into
CA-8
CA-8 (1) Penetration Testing | Independent Penetration Agent or Team X No CCM Specific In the CCM there is no
Mapping requirement reference of Independent
Identified not defined in Penetration Agent or Team.
CCM
CCM TVM-02 states -
Penetration testing needs
to be done, but never
mentions it being an
independent agent or team.
"Policies and procedures
shall be established, and
supporting processes and
technical measures
implemented, for timely
detection of vulnerabilities
within organizationally-
owned or managed
applications, infrastructure
network and system
components (e.g. network
vulnerability assessment,
penetration testing) to
ensure the efficiency of
implemented security
controls." (JPM) Could be
addressed with a new CAIQ
question?
Could this be clarified with
a new CAIQ question?
CA-9 Internal System Connections X X IVS-06 CCM States - "Policies and

IVS-09 procedures shall be
IVS-13 established, and supporting
TVM-03 business processes and
technical measures
implemented, to prevent
the execution of
unauthorized mobile code,
defined as software
transferred between
systems over a trusted or
untrusted network and
executed on a local system
without explicit installation
or execution by the
recipient, on
organizationally-owned or
managed user end-point
devices (e.g., issued
workstations, laptops, and
mobile devices) and IT
infrastructure network and
systems components."
NIST States - "This

control applies to
connections between
organizational information
systems and (separate)
constituent system
components (i.e., intra-
system connections)
including, for example,
system connections with
mobile devices,
notebook/desktop
computers, printers,
copiers, facsimile machines,
scanners, sensors, and
servers. Instead of
Configuration Management (CM) 0
CM-1 Configuration Management Policy and Procedures X X CM-1.b.1 [at least every 3 years] AAC-03
CM-1.b.2 [at least annually] CCC-01
CCC-03
CCC-04
GRM-05
GRM-06
GRM-08
GRM-09
GRM-11
IAM-07
CM-2 Baseline Configuration X X BCR-10

CCC-03
CCC-04
CCC-05
GRM-01
CM-2 (1) Baseline Configuration | Reviews and Updates X CM-2 (1) (a). [at least annually] BCR-10
CM-2 (1) (b). [to include when directed by CCC-03
Authorizing Official] CCC-04
CCC-05
GRM-01
CM-2(2) Baseline Configuration | Automation Support For Accuracy / Currency X CCC-03 Suggested mapping:
CCC-05 1) Map to CCM CCC-03,
CCC-05 control series
2) Extend CIAQ to add CCC-
03.2, CCC-05.2 with the
following additional
"Consensus Assessment
Questions":
>>>
CCC-03.2.1: Do you use
automated source code
management tools to
perform the ongoing code
stream segregation and
software code builds, while
ensuring the final build of
each generally available
code stream version
includes:
- Bill of Materials (BOM)
that identifies Application
code modules, middleware,
data stores and OS (inc.
patch levels) mappings to
your Cloud Infrastructure
tiers above Facility, namely,
Hardware/Virtualized-
Infrastructure/Platform-
Architecture/Application.
- Validated Automated
Installation Instructions for
CM-2 (3) Baseline Configuration | Retention of Previous Configurations X BCR-10 each Cloud Infrastructure
CCC-03 tier
CCC-04
CCC-05 CCC-05.2.1: Do you use
GRM-01 automated tools to
maintain pristine baseline
copies of each generally
CM-2 (7) Baseline Configuration | Configure Systems, Components, or Devices for X BCR-10 availablebycode
Implied set within
former mappinga
High-Risk Areas CCC-03 master
of theselibrary
areas stored
to CM-2within
(5)
CCC-04 your Cloud
which has been Operations
CCC-05 DevOps infrastructure
incorporated , so
by NIST into
GRM-01 as
CM-2to: (7) in 800-53r4
- Track your various
instances of Cloud
CM-3 Configuration Change Control X Requirement: The service provider BCR-10 Deployments within a
establishes a central means of CCC-04 centralized Configuration
communicating major changes to CCC-05 Management scheme
or developments in the TVM-02 - Ensure up-to-date,
information system or complete and accurate
environment of operations that maintenance of various
may affect its services to the instances of your Cloud
federal government and associated Deployments
service consumers (e.g., electronic <<<
bulletin board, web status page).
The means of communication are
approved and accepted by the
Authorizing Official.
CM-3e Guidance: In accordance

with record retention policies and
procedures.
CM-4 Security Impact Analysis X X BCR-10
TVM-02
CM-5 Access Restrictions For Change X BCR-10
CCC-04
CCC-05
IAM-06
CM-5 (1) Access Restrictions For Change | Automated Access Enforcement / Auditing X CCC-04
CCC-05
IAM-06
CM-5 (3) Access Restrictions For Change | Signed Components X Guidance: If digital CCC-04 Suggested mapping:
signatures/certificates are 1) Map to CCM CCC-04
unavailable, alternative control series
cryptographic integrity checks 2) Extend CIAQ to add CCC-
(hashes, self-signed certs, etc.) can 04.2, with the following
be utilized. additional "Consensus
Assessment Questions":
>>>
CCC-04.2.1: Have you
implemented processes and
infrastructure that ensure
up-to-date, complete and
accurate maintenance of
various instances of your
Cloud Deployment, by:
- Segregating your
generally available R&D
code set build process from
your DevOps Configuration
Management libraries that
uniquely identify and track
pristine images of each
CM-5 (5) Access Restrictions For Change | Limit Production / Operational Privileges X CM-5 (5) (b). [at least quarterly] CCC-04 revision of your generally
CCC-05 available code set.
IAM-06 - Implementing an access
restriction model to your
CM-6 Configuration Settings X X CM-6a. [See CM-6(a) Additional FedRAMP CM-6a. Requirement: The service BCR-10 DevOps systems according
Requirements and Guidance] provider shall use the Center for CCC-05 to defined Segregation of
Internet Security guidelines (Level IVS-12 Duties (SoD) between your
1) to establish configuration core R&D and Cloud
settings or establishes its own Operations teams based on
configuration settings if USGCB is formal Release-To-
not available. Operations procedures.
CM-6a. Requirement: The service <<<
provider shall ensure that
checklists for configuration settings
are Security Content Automation
Protocol (SCAP) validated or SCAP
compatible (if validated checklists
are not available).
CM-6a. Guidance: Information on
the USGCB checklists can be found
at:
http://usgcb.nist.gov/usgcb_faq.ht
ml#usgcbfaq_usgcbfdcc .
CM-6 (1) Configuration Settings | Automated Central Management / Application / X BCR-10
Verification CCC-05
IVS-12
CM-7 Least Functionality X X CM-7. [United States Government Requirement: The service provider CCC-04
Configuration Baseline (USGCB)] shall use the Center for Internet IAM-03
Security guidelines (Level 1) to IAM-13
establish list of prohibited or IVS-06
restricted functions, ports,
protocols, and/or services or
establishes its own list of
prohibited or restricted functions,
ports, protocols, and/or services if
USGCB is not available.
CM-7. Guidance: Information on
the USGCB checklists can be found
at:
http://usgcb.nist.gov/usgcb_faq.ht
CM-7 (1) Least Functionality | Periodic Review X CM-7(1) [ At least Monthly] ml#usgcbfaq_usgcbfdcc. CCC-04
(Partially derived from AC-17(8).) IAM-03
IAM-13
IVS-06
CM-7 (2) Least Functionality | Prevent Program Execution X CM-7(2) Guidance: This control IAM-10 Suggested mapping:
shall be implemented in a IAM-13 1) Map to CCM IAM-13, IVS-
technical manner on the IVS-06 06 control series
information system to only allow 2) Extend CIAQ to add IAM-
programs to run that adhere to the 13.2, IVS-06.2 with the
policy (i.e. white listing). This following additional
control is not to be based off of "Consensus Assessment
strictly written policy on what is Questions":
allowed or not allowed to run. >>>
IAM-13.2.1: Do you
maintain an up-to-date
Configuration Management
scheme (see suggested
mappings in CM-2 (2)) as
well as Platform-
Architecture
documentation, so as to
enable your Cloud
Operations function to:
- Retain the necessary
restrictions around
powerful utilities and
security devices as they
make changes to your Cloud
architecture as prescribed
by your core R&D function,
release over release
CM-7 (5) Least Functionality | Authorized Software / Whitelisting X CM-7(5)[ at least Annually or when there is a IAM-02 IVS-06.2.1: Do you maintain
Suggested mapping:
change.] IAM-03 an Map
1) up-to-date
to CCMConfiguration
IAM-13
IAM-0 Management
control series scheme (see
IAM-13 suggested
2) mappings
Extend CIAQ to addin IAM-
CM-
2 (2)) with
13.3, as well
theasfollowing
Platform-
Architecture
additional "Consensus
documentation,
Assessment so as to
Questions":
enable
>>> your Cloud
Operations function
IAM-13.3.1: to:
Do you have
- Maintain
defined qualifiedfor your
procedures
infrastructure
core R&D to qualify use,
configurations
restrictions andand whitelisting
periodically
of verifiedwithin
utility programs
hardened
your Cloudsysteminfrastructure,
components
and continuouslyin allreflected
your
Cloud
in Infrastructure
Platform tiers
architecture
above Facility, namely,
documentation, so as to
Hardware/Virtualized-
enable your DevOps and
Infrastructure/Platform-
Cloud Operations function
Architecture/Application.
to:
CM-8 Information System Component Inventory X X CM-8b. [at least monthly] CM-8 Requirement: must be DCS-05 <<<
provided at least monthly or when CCC-04 - Maintain your Cloud's
there is a change. services over an adequately
distributed set of
components, while enabling
CM-8 (1) Information System Component Inventory | Updates During Installations / X DCS-05 your Cloud Operations to
Removals CCC-04 retain the necessary
knowledge about
CM-8 (3) Information System Component Inventory | Automated Unauthorized X CM-8 (3) (a). [Continuously, using automated DCS-05 components and their
Component Detection mechanisms with a maximum five-minute delay CCC-04 functions that are
in detection.] candidates for activation vs.
elimination, with prescribed
integrity verifications.
CM-8 (5) Information System Component Inventory | No Duplicate Accounting of X DCS-05 <<<
Components CCC-04
CM-9 Configuration Management Plan X BCR-10
CCC-01
CCC-04
CCC-05
CM-10 Software Usage Restrictions X X CCC-04 Control limits installation of

non-approved software
CM-10 (1) Software Usage Restrictions | Open Source Software X CCC-04 Suggested mapping:
GRM-01 1) Map to CCM GRM-01
control series
2) Extend CIAQ to add GRM-
01.2, with the following
Assessment Questions":
>>>
GRM-01.2: Do you have
established procedures for
authorized vs. restricted use
of open source software,
with a minimum set of
controls for:
- A formal requisition
process (such as a Form)
which records the name
and version of the code
component, the source (e.g.
website), the license, usage
model, etc.
- A process for submitting
the requisition request
CM-11 User-Installed Software X X CM-11.c. [Continuously (via CM-7 (5))] CCC-04 through a review
Suggested mapping: process,
GRM-01 so as toto
1) Map ensure Legal
CCM GRM-01
understanding
control series of proposed
use, any potential
2) Extend CIAQ to addconcerns
GRM-
associated
01.3, withfollowing
with the the license,
etc.
- A tracking Questions":
Assessment mechanism for
any
>>> caveats/obligations
associated with
GRM-01.3: Do you thehave
code
and its license
established (e.g.
procedures and
preservation of
systematic checks forcopyright
notices, incorporation
authorized installation of
of
permission
User-Installed statements
Software,into
Aboutadequate
with pages orcontrols
equivalent,
for:
etc.).
- Restricting installation
<<< Authenticated User
onto
systems or devices, or
prohibiting user installation
of software without explicit
privileged status.
- Installation from only user
organization approved "app
Contingency Planning (CP) 0 stores", whether hosted
CP-1 Contingency Planning Policy and Procedures X X CP-1.b.1 [at least every 3 years] AAC-03 within your Cloud
CP-1.b.2 [at least annually] BCR-01 infrastructure or general
BCR-09 consumer Public Clouds.
GRM-08 - Alerting end-users directly
GRM-09 or user organization
IAM-07 administrators of
unauthorized attempts of
installation on user systems
CP-2 Contingency Plan X X CP-2d. [at least annually] Requirement: For JAB BCR-01 or devices.
authorizations the contingency BCR-02 - If BYOD is a supported
lists include designated FedRAMP BCR-09 option for end-users of your
personnel. BCR-11 Cloud services, restricting
CP-2 (1) Contingency Plan | Coordinate With Related Plans X BCR-01 connections to only trusted
BCR-02 devices that support a
BCR-11 passcode policy, encryption
and remote App+Data
CP-2 (2) Contingency Plan | Capacity Planning X BCR-01 wipe-out, as a minimum set
BCR-02 of outsider threat controls.
BCR-11
CP-2 (3) Contingency Plan | Resume Essential Missions / Business Functions X BCR-09 Direct mapping to BCR-09
which specifies "establish
maximum tolerable period
for disruption"
CP-2 (8) Contingency Plan | Identify Critical Assets X BCR-09 Direct mapping to BCR-09
which specifies "identify
critical products and
services"
CP-3 Contingency Training X X CP-3.a. [ 10 days] BCR-01

CP-3.c. [at least annually] BCR-02
CP-4 Contingency Plan Testing X X CP-4a. [at least annually for moderate impact CP-4a. Requirement: The service BCR-01
systems; at least every three years for low provider develops test plans in BCR-02
impact systems] [functional exercises for accordance with NIST Special
moderate impact systems; classroom Publication 800-34 (as amended);
exercises/table top written tests for low impact plans are approved by the
systems] Authorizing Official prior to
initiating testing.
CP-4 (1) Contingency Plan Testing | Coordinate With Related Plans X BCR-01
BCR-02
CP-6 Alternate Storage Site X BCR-01
BCR-11
STA-03
CP-6 (1) Alternate Storage Site | Separation From Primary Site X BCR-01
BCR-11
STA-03
CP-6 (3) Alternate Storage Site | Accessibility X BCR-01

BCR-11
STA-03
CP-7 Alternate Processing Site X CP-7a. Requirement: The service BCR-01

provider defines a time period BCR-11
consistent with the recovery time STA-03
objectives and business impact
analysis.
CP-7 (1) Alternate Processing Site | Separation From Primary Site X CP-7(1) Guidance: The service BCR-01
provider may determine what is BCR-11
considered a sufficient degree of STA-03
separation between the primary
and alternate processing sites,
based on the types of threats that
are of concern. For one particular
type of threat (i.e., hostile cyber
attack), the degree of separation
between sites will be less relevant.
CP-7 (2) Alternate Processing Site | Accessibility X BCR-01

BCR-11
STA-03
CP-7 (3) Alternate Processing Site | Priority of Service X BCR-01

BCR-11
STA-03
CP-8 Telecommunications Services X CP-8. Requirement: The service BCR-01

provider defines a time period BCR-08
consistent with the business BCR-11
impact analysis. STA-03
CP-8 (1) Telecommunications Services | Priority of Service Provisions X BCR-01

BCR-08
BCR-11
STA-03
CP-8 (2) Telecommunications Services | Single Points of Failure X BCR-01

BCR-08
BCR-11
STA-03
CP-9 Information System Backup X X CP-9a. [daily incremental; weekly full] CP-9. Requirement: The service BCR-01
CP-9b. [daily incremental; weekly full] provider shall determine what BCR-04
CP-9c. [daily incremental; weekly full] elements of the cloud environment BCR-11
require the Information System
Backup control.
shall determine how Information
System Backup is going to be
verified and appropriate
periodicity of the check.
CP-9a. Requirement: The service
provider maintains at least three
backup copies of user-level
information (at least one of which
is available online) or provides an
equivalent alternative.
CP-9b. Requirement: The service
backup copies of system-level
information (at least one of which
is available online) or provides an
equivalent alternative.
CP-9c. Requirement: The service
backup copies of information
system documentation including
security information (at least one
CP-9 (1) Information System Backup | Testing For Reliability / Integrity X CP-9 (1). [at least annually] of which is available online) or BCR-01
provides an equivalent alternative. BCR-04
BCR-11
CP-9 (3) Information System Backup | Separate Storage for Critical Information X BCR-01
BCR-04
BCR-11
CP-10 Information System Recovery and Reconstitution X X BCR-01

BCR-04
CP-10 (2) Information System Recovery and Reconstitution | Transaction Recovery X BCR-01
BCR-04
Identification and Authentication (IA) 7
IA-1 Identification and Authentication Policy and Procedures X X IA-1.b.1 [at least every 3 years] AAC-03
IA-1.b.2 [at least annually] GRM-06
GRM-08
GRM-09
IAM-02
IAM-07
IAM-12
IA-2 Identification and Authentication (Organizational Users) X X IAM-09

IAM-12
IA-2 (1) Identification and Authentication (Organizational Users) | Network Access to X X IAM-09
Privileged Accounts IAM-12
IA-2 (2) Identification and Authentication (Organizational Users) | Network Access to X IAM-09
Non-Privileged Accounts IAM-12
IA-2 (3) Identification and Authentication (Organizational Users) | Local Access to X IAM-09
Privileged Accounts IAM-12
IA-2 (5) Identification and Authentication (Organizational Users) | Group X IAM-04 Suggested Mapping:
Authentication IAM-04 - "…control access
to network resources based
on user identity."
IA-2 (8) Identification and Authentication (Organizational Users) | Network Access to X IAM-09
Privileged Accounts - Replay Resistant IAM-12
IA-2 (11) Identification and Authentication (Organizational Users) | Remote Access - X The information system implements IAM-02 Could be mapped to IAM-02
Separate Device multifactor authentication for remote access to which references business
privileged and non-privileged accounts such case considerations for
that one of the factors is provided by a device multi-factor authentication?
separate from the system gaining access and
the device meets [Assignment: organization-
defined strength of mechanism requirements].
IA-2 (12) Identification and Authentication (Organizational Users) | Acceptance of PIV X X Guidance: Include Common Access No CCM NIST control Could be mapped to IAM-09
Credentials Card (CAC), i.e., the DoD technical Mapping has finer which references
implementation of PIV/FIPS Identified granularity authorization of users in
201/HSPD-12. accordance with
established policies and
procedures. For Federal
agencies, the PIV cards are
part of the IAM policies
defined by FICAM. Possible
CAIQ update to query for
the exact policies that are
followed?
IA-3 Device Identification and Authentication X DCS-03

IA-4 Identifier Management X X IA-4d. [at least two years] IA-4e. Requirement: The service DCS-03
IA-4e. [ninety days for user identifiers] (See provider defines time period of IAM-07
additional requirements and guidance.) inactivity for device identifiers. IAM-09
IA-4 (4) Identifier Management | Identify User Status X IA-4 (4). [contractors; foreign nationals] DCS-03
IAM-09
IA-5 Authenticator Management X X IA-5g. [to include sixty days for passwords] GRM-09
IAM-07
IAM-09
IAM-12
IA-5 (1) Authenticator Management | Password-Based Authentication X X IA-5 (1) (a). [case sensitive, minimum of twelve GRM-09
characters, and at least one each of upper-case IAM-07
letters, lower-case letters, numbers, and special IAM-09
characters] IAM-12
IA-5 (1) (b). [at least one]
IA-5 (1) (d). [one day minimum, sixty day
maximum]
IA-5 (1) (e). [twenty four]
IA-5 (2) Authenticator Management | PKI-Based Authentication X GRM-09

IAM-07
IAM-09
IAM-12
IA-5 (3) Authenticator Management | In-Person or Trusted Third-Party Registration X IA-5 (3). [All hardware/biometric (multifactor GRM-09
authenticators] [in person] IAM-07
IAM-09
IAM-12
IA-5 (4) Authenticator Management | Automated Support for Password Strength X IA-4e Additional FedRAMP No CCM Specific Don't see a place where this
Determination Requirements and Guidance: Mapping requirement maps to CCM
Guidance: If automated Identified not defined in
mechanisms which enforce CCM
password authenticator strength at
creation are not used, automated
mechanisms must be used to audit
strength of created password
authenticators
IA-5 (6) Authenticator Management | Protection of Authenticators X GRM-09

IAM-07
IAM-09
IAM-12
IA-5 (7) Authenticator Management | No Embedded Unencrypted Static X GRM-09

Authenticators IAM-07
IAM-09
IAM-12
IA-5 (11) Authenticator Management | Hardware Token-Based Authentication X X No CCM NIST control Could be mapped to IAM-09
Mapping has finer which references
Identified granularity authorization of users in
accordance with
esatblished policies and
followed?
IA-6 Authenticator Feedback X X IAM-12

IA-7 Cryptographic Module Authentication X X AAC-03
EKM-03
IA-8 Identification and Authentication (Non-Organizational Users) X X IAM-07
IAM-09
IAM-12
IA-8 (1) Identification and Authentication (Non-Organizational Users) | Acceptance X X No CCM NIST control Could be mapped to IAM-09
of PIV Credentials from Other Agencies Mapping has finer which references
Identified granularity authorization of users in
accordance with
esatblished policies and
followed?
IA-8 (2) Identification and Authentication (Non-Organizational Users) | Acceptance X X No CCM NIST control IAM-09? See notes for IA-8
of Third-Party Credentials Mapping has finer (1)
Identified granularity
IA-8 (3) Identification and Authentication (Non-Organizational Users) | Use of X X No CCM NIST control IAM-09? See notes for IA-8
FICAM-Approved Products Mapping has finer (1)
IA-8 (4) Identification and Authentication (Non-Organizational Users) | Use of X X No CCM NIST control IAM-09? See notes for IA-8
FICAM-Issued Profiles Mapping has finer (1)
This control also relates to
SA-4 (10)
Incident Response (IR) 0

IR-1 Incident Response Policy and Procedures X X IR-1.b.1 [at least every 3 years] AAC-03
IR-1.b.2 [at least annually] GRM-06
GRM-08
GRM-09
IAM-07
SEF-02
IR-2 Incident Response Training X X IR-2b. [at least annually] SEF-02

SEF-03
IR-3 Incident Response Testing X IR-3. [at least annually] IR-3. Requirement: The service SEF-02
provider defines tests and/or
exercises in accordance with NIST
Special Publication 800-61 (as
amended).
Requirement: For JAB
Authorization, the service provider
provides test plans to the
Authorizing Official (AO) annually.
Requirement: Test plans are
approved and accepted by the
Authorizing Official prior to test
commencing.
IR-3 (2) Incident Response Testing | Coordination With Related Plans X BCR-07 BCR-07/08 - Mapping is
BCR-08 fairly self explanitory, the
control calls for policies and
proceedures to be in place.
IR-4 Incident Handling X X IR-4/A13. Requirement: The SEF-02

service provider ensures that SEF-05
individuals conducting incident
handling meet personnel security
requirements commensurate with
the criticality/sensitivity of the
information being processed,
stored, and transmitted by the
information system.
IR-4 (1) Incident Handling | Automated Incident Handling Processes X SEF-02
SEF-05
IR-5 Incident Monitoring X X SEF-02
SEF-04
SEF-05
IR-6 Incident Reporting X X IR-6a. [US-CERT incident reporting timelines as Requirement: Reports security SEF-01
specified in NIST Special Publication 800-61 (as incident information according to SEF-03
amended)] FedRAMP Incident
Communications Procedure.
IR-6 (1) Incident Reporting | Automated Reporting X SEF-01

SEF-03
IR-7 Incident Response Assistance X X SEF-02
SEF-03
SEF-04
IR-7 (1) Incident Response Assistance | Automation Support For Availability of X SEF-02
Information / Support SEF-03
SEF-04
IR-7 (2) Incident Response Assistance | Coordination With External Providers X SEF-02
SEF-03
SEF-04
IR-8 Incident Response Plan X X IR-8c. [at least annually] IR-8(b) Additional FedRAMP SEF-02
Requirements and Guidance: The SEF-04
service provider defines a list of SEF-05
incident response personnel
(identified by name and/or by role)
and organizational elements. The
incident response list includes
designated FedRAMP personnel.
IR-8(e) Additional FedRAMP
Requirements and Guidance: The
service provider defines a list of
incident response personnel
(identified by name and/or by role)
and organizational elements. The
incident response list includes
designated FedRAMP personnel.
IR-9 Information Spillage Response X SEF-01 SEF controls describe the

SEF-02 various aspects for planning
SEF-03 and response to security
SEF-04 incidents, which includes
SEF-05 information spillage.
IR-9 (1) Information Spillage Response | Responsible Personnel X BCR-01 Information spillage is
SEF-01 considered an incident for
SEF-02 all intents and purposes
SEF-03 therefore these can be
defined and mapped under
the BCP/DRPs
BCR-01 - Fairly self

explanatory due to the
nature of the control
requiring the personnel
affiliated with IR procedures
are defined.
IR-9 (2) Information Spillage Response | Training X BCR-02 BCR-02 - Control states that
BCR-10 SIR should be tested (a form
of training) at planned
intervals, in most cases for
some military entites
specifically Army QRF use
this type of testing to
double as real time training
credits.
BCR-10 - Mapping is fairly
direct, considering the
requirement of workforce
training.
IR-9 (3) Information Spillage Response | Post-Spill Operations X BCR-02 BCR-02 - Control states that
SEF-02 SIR should be tested to
SEF-04 ensure that operations will
SEF-05 actually work in the event
that an incident actually
occurs.
Information spillage is
considered an incident for
all intents and purposes
therefore SEF-02 is
applicable due to the
nature of the control and
indication that the triage
(response and quarantine)
be addressed in a timely
manner.
SEF-04 indicates the
definition of proper
incident handling inclusive
of preservation of
evidenciary findings via CoC
and other forensic
procedures to preserve
integrity.
IR-9 (4) Information Spillage Response | Exposure to Unauthorized Personnel X BCR-03 BCR-03 Is applicable due to
BCR-06 the fact that the operations
should be tested to ensure
expossure to unauthorized
parties is circumvented.
BCR-06 is applicable due to

the indication of necessary
controls to prevent against
access of unauthorized
personnel
Maintenance (MA) 1
MA-1 System Maintenance Policy and Procedures X X MA-1.b.1 [at least every 3 years] AAC-03
MA-1.b.2 [at least annually] DCS-04
DCS-08
GRM-06
GRM-08
GRM-09
IAM-07
MA-2 Controlled Maintenance X X BCR-07

DCS-08
MA-3 Maintenance Tools X BCR-07
IAM-03
MA-3 (1) Maintenance Tools | Inspect Tools X BCR-07
IAM-03
MA-3 (2) Maintenance Tools | Inspect Media X BCR-07
IAM-03
MA-3 (3) Maintenance Tools | Prevent Unauthorized Removal X MA-3 (3) (d). [the information owner explicitly BCR-07
authorizing removal of the equipment from the IAM-03
facility]
MA-4 Nonlocal Maintenance X X BCR-07

BCR-10
IAM-03
MA-4 (2) Nonlocal Maintenance | Document Nonlocal Maintenance X BCR-07

BCR-10
IAM-03
MA-5 Maintenance Personnel X X BCR-07

IAM-03
IAM-09
MA-5 (1) Maintenance Personnel | Individuals Without Appropriate Access X Requirement: Only MA-5 (1)(a)(1) No CCM Specific DCS-08 and DCS-09 refer to
is required by FedRAMP Moderate Mapping requirement physical access controls but
Baseline Identified not defined in not as explicit as the NIST
CCM guidance regarding
escort/supervision of
maintenance personnel
MA-6 Timely Maintenance X BCR-07

Media Protection (MP) 0
MP-1 Media Protection Policy and Procedures X X MP-1.b.1 [at least every 3 years] AAC-03
MP-1.b.2 [at least annually] DSI-04
GRM-06
GRM-08
GRM-09
HRS-11
IAM-07
MP-2 Media Access X X HRS-05

HRS-11
MP-3 Media Marking X MP-3b. [no removable media types] MP-3b. Guidance: Second DSI-04
parameter not-applicable HRS-11
MP-4 Media Storage X MP-4a. [all types of digital and non-digital MP-4a Additional FedRAMP HRS-05
media with sensitive information] within Requirements and Guidance: HRS-11
[FedRAMP Assignment: see additional Requirement: The service provider
FedRAMP requirements and guidance]; defines controlled areas within
facilities where the information
and information system reside.
MP-5 Media Transport X MP-5a. [all media with sensitive information] SEF-04
[prior to leaving secure/controlled STA-05
environment: for digital media, encryption
using a FIPS 140-2 validated encryption
module; for non-digital media, secured in
locked container]
MP-5 (4) Media Transport | Cryptographic Protection X SEF-04

STA-05
MP-6 Media Sanitization X X The organization: a. Sanitizes [Assignment: DCS-05

organization-defined information system
media] prior to disposal, release out of
organizational control, or release for reuse
using [Assignment: organization-defined
sanitization techniques and procedures] in
accordance with applicable federal and
organizational standards and policies; and b.
Employs sanitization mechanisms with the
strength and integrity commensurate with the
security category or classification of the
information.
MP-6 (2) Media Sanitization | Equipment Testing X [At least annually] Guidance: Equipment and DCS-05 May need a CAIQ question
procedures may be tested or specific to the testing of
validated for effectiveness Media Sanitization
procedures?
MP-7 Media Use X X DCS-01 DCS-01 is a partial mapping

HRS-05 as it talks about defining the
MOS-05 media used and how it will
be used.
HRS-05 is applicable due to
the control's wording
"Information system media
includes both digital and
non-digital media. Digital
media includes, for
example, diskettes,
magnetic tapes,
external/removable hard
disk drives, flash drives,
compact disks, and digital
video disks. Non-digital
media includes, for
example, paper and
microfilm. This control also
applies to mobile devices
with information storage
capability (e.g., smart
phones, tablets, E-
readers)."
MOS-05 is applicable due to
the request to use policies
to dictate proper use of
devices
MP-7 (1) Media Use | Prohibit Use without Owner X DSI-06 DSI-06 - Specifically
DCS-01 requests an owner be
MOS-09 assigned
Indicates the use of a

CMDB, without calling it out
directly. CMDBs generally
require an asset
owner/user therefor DCS-
01 and MOS-09 would be a
match
Physical and Environmental Protection (PE) 1

PE-1 Physical and Environmental Protection Policy and Procedures X X PE-1.b.1 [at least every 3 years] AAC-03
PE-1.b.2 [at least annually] BCR-03
BCR-05
BCR-06
BCR-08
DSI-07
DCS-04
GRM-06
GRM-08
GRM-09
IAM-07
PE-2 Physical Access Authorizations X X PE-2c. [at least annually] DCS-02

DCS-06
DCS-09
IVS-01
PE-3 Physical Access Control X X PE-3a.2 [CSP defined physical access control DCS-02
systems/devices AND guards] DCS-06
PE-3d. [in all circumstances within restricted DCS-09
access area where the information system IVS-01
resides]
PE-3f. [at least annually]
PE-3g. [at least annually]
PE-4 Access Control For Transmission Medium X BCR-03

DCS-06
IVS-12
PE-5 Access Control For Output Devices X BCR-06

DCS-06
PE-6 Monitoring Physical Access X X PE-6b.[at least monthly] DCS-02
DCS-06
DCS-09
PE-6 (1) Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment X DCS-02
DCS-06
DCS-09
PE-8 Visitor Access Records X X PE-8a [for a minimum of one year] DCS-02
PE-8b. [at least monthly]
PE-9 Power Equipment and Cabling X BCR-08
PE-10 Emergency Shutoff X BCR-08
PE-11 Emergency Power X BCR-08
PE-12 Emergency Lighting X X BCR-08
PE-13 Fire Protection X X BCR-03
BCR-05
BCR-08
PE-13 (2) Fire Protection | Suppression Devices / Systems X BCR-03

BCR-05
BCR-08
PE-13 (3) Fire Protection | Automatic Fire Suppression X BCR-03

BCR-05
BCR-08
PE-14 Temperature and Humidity Controls X X PE-14a. [consistent with American Society of PE-14a. Requirements: The service BCR-05
Heating, Refrigerating and Air-conditioning provider measures temperature at BCR-06
Engineers (ASHRAE) document entitled Thermal server inlets and humidity levels by BCR-08
Guidelines for Data Processing Environments] dew point.
PE-14b. [continuously]
PE-14 (2) Temperature and Humidity Controls | Monitoring With Alarms / X No CCM Specific BCR-03 refers to monitoring
Notifications Mapping requirement of temperature and
Identified not defined in humidity controls but no
CCM reference to alarms or
automatic notifications
PE-15 Water Damage Protection X X BCR-05

BCR-06
PE-16 Delivery and Removal X X PE-16. [all information system components] DSI-04
DCS-04
DCS-07
DCS-08
PE-17 Alternate Work Site X BCR-01

DCS-04
Planning (PL) 4
PL-1 Security Planning Policy and Procedures X X PL-1.b.1 [at least every 3 years] AAC-03
PL-1.b.2 [at least annually] CCC-01
GRM-06
GRM-08
GRM-09
GRM-11
IAM-07
PL-2 System Security Plan X X PL-2c. [at least annually] No CCM Possible
Mapping Mapping to
Identified AAC-03 and/or
GRM-04?
PL-2 (3) System Security Plan | Plan / Coordinate With Other Organizational Entities X No CCM Possible
Mapping Mapping to
Identified GRM-04?
PL-4 (1) Rules of Behavior | Social Media and Networking Restrictions X No CCM Specific
Mapping requirement
Identified not defined in
CCM
PL-8 Information Security Architecture X PL-8b. [At least annually] No CCM Specific There are several CCM
Mapping requirement controls that relate to
Identified not defined in documentation of
CCM requirements, network
architecture, etc. but not
clear that those are the
same as the comprehensive
InfoSec Architecture that is
described in 800-53r4
Personnel Security (PS) 0

PS-1 Personnel Security Policy and Procedures X X PS-1.b.1 [at least every 3 years] AAC-03
PS-1.b.2 [at least annually] GRM-06
GRM-07
GRM-08
GRM-09
HRS-03
HRS-07
IAM-07
PS-2 Position Risk Designation X X PS-2c. [at least every three years] DSI-06
HRS-02
HRS-03
HRS-04
HRS-07
PS-3 Personnel Screening X X PS-3b. [for national security clearances; a HRS-02

reinvestigation is required during the 5th year
for top secret security clearance, the 10th year
for secret security clearance, and 15th year for
confidential security clearance.
For moderate risk law enforcement and high

impact public trust level, a reinvestigation is
required during the 5th year. There is no
reinvestigation for other moderate risk
positions or any low risk positions]
PS-3 (3) Personnel Screening | Information With Special Protection Measures X PS-3 (3)(b). [personnel screening criteria – as HRS-02 Finer Not as specific as the NIST
required by specific information] IAM-09 granularity of definition, but HRS-02, IAM-
IAM-10 NIST conrol 09 and IAM-10 all refer to
included in granting access to
broader CCM information based on
definition sensitivity, appropriate use,
least privilege, etc.
PS-4 Personnel Termination X X PS-4.a. [same day] HRS-01

HRS-04
IAM-11
PS-5 Personnel Transfer X X PS-5. [within five days of the formal transfer HRS-04
action (DoD 24 hours)] IAM-11
PS-6 Access Agreements X X PS-6b. [at least annually] HRS-03
PS-6c.2. [at least annually] HRS-04
HRS-06
HRS-07
IAM-09
IAM-10
PS-7 Third-Party Personnel Security X X PS-7d. organization-defined time period – same HRS-03
day HRS-07
IAM-10
STA-05
PS-8 Personnel Sanctions X X GRM-07

HRS-04
Risk Assessment (RA) 0
RA-1 Risk Assessment Policy and Procedures X X RA-1.b.1 [at least every 3 years] AAC-03
RA-1.b.2 [at least annually] GRM-08
GRM-09
GRM-10
GRM-11
IAM-07
RA-2 Security Categorization X X AAC-03

DSI-01
DSI-06
GRM-02
GRM-10
GRM-11
RA-3 Risk Assessment X X RA-3b. [security assessment report] Guidance: Significant change is BCR-09
defined in NIST Special Publication GRM-02
RA-3c. [at least every three years or when a 800-37 Revision 1, Appendix F. GRM-08
significant change occurs] GRM-10
RA-3d. Requirement: to include GRM-11
RA-3e. [at least every three years or when a the Authorizing Official; for JAB
significant change occurs] authorizations to include FedRAMP
RA-5 Vulnerability Scanning X X RA-5a. [monthly operating RA-5a. Requirement: an accredited AAC-02
system/infrastructure; monthly web independent assessor scans TVM-02
applications and databases] operating systems/infrastructure,
web applications, and databases
RA-5d. [high-risk vulnerabilities mitigated once annually.
within thirty days from date of discovery; RA-5e. Requirement: to include the
moderate-risk vulnerabilities mitigated within Risk Executive; for JAB
ninety days from date of discovery] authorizations to include FedRAMP
RA-5 (1) Vulnerability Scanning | Update Tool Capability X AAC-02

TVM-02
RA-5 (2) Vulnerability Scanning | Update by Frequency / Prior to New Scan / When X RA-5 (2). [prior to a new scan] AAC-02
Identified TVM-02
RA-5 (3) Vulnerability Scanning | Breadth / Depth of Coverage X AAC-02
TVM-02
RA-5 (5) Vulnerability Scanning | Privileged Access X RA-5 (5). [operating systems / web TVM-01 Direct mapping to TVM-03
applications / databases] [all scans] TVM-02 as it specifically names
TVM-03 vulnerability management
to include vulnerability
scanning on
organizationally owned
items inclusive of laptops,
workstations and mobile
devices. Also a direct
mapping to TVM-02 as it
specifically states
vulnerability assessments
(scanning)
RA-5 (6) Vulnerability Scanning | Automated Trend Analyses X RA-5(6) Guidance: include in AAC-02
Continuous Monitoring ISSO TVM-02
digest/report to Authorizing
Official
RA-5 (8) Vulnerability Scanning | Review Historic Audit Logs X RA-5 (8). Requirements: This IAM-02 Related to AU-6, covers
enhancement is required for all IAM-07 reporting on vulnerabilities,
high vulnerability scan findings. IVS-01 in most organizations this is
Guidance: While scanning tools IVS-12 associated with threat
may lable findings as high or IVS-13 modeling and identification
critical, the intent of the control is TVM-01 which can be used to
based around NIST's definition of determine identified risks.
high vulnerability.
System and Services Acquisition (SA) 3

SA-1 System and Services Acquisition Policy and Procedures X X SA-1.b.1 [at least every 3 years] AAC-03
SA-1.b.2 [at least annually] CCC-01
GRM-06
GRM-09
IAM-07
SA-2 Allocation of Resources X X DSI-06

GRM-01
SA-3 System Development Life Cycle X X BCR-10
CCC-01
CCC-03
SA-4 Acquisition Process X X SA-4. Guidance: The use of BCR-10

Common Criteria (ISO/IEC 15408) CCC-01
evaluated products is strongly CCC-02
preferred. CCC-03
See http://www.niap-ccevs.org/vpl GRM-01
or IVS-04
http://www.commoncriteriaportal.
org/products.html.
SA-4 (1) Acquisition Process | Functional Properties of Security Controls X BCR-04 BCR-04 is implied from
BCR-10 previous mapping to SA-
CCC-01 5(1) which NIST has
CCC-02 incorporated into SA-4(1)
CCC-03
GRM-01
IVS-04
SA-4 (2) Acquisition Process | Design / Implementation Information for Security X [to include security-relevant external system BCR-04 Implied from previous
Controls interfaces and high-level design] BCR-10 mapping to SA-5(3) which
CCC-02 NIST has incorporated into
CCC-03 SA-4(2)
SA-4 (8) Acquisition Process | Continuous Monitoring Plan X SA-4 (8). [at least the minimum requirement as SA-4 (8) Guidance: CSP must use No CCM Specific STA-04, STA-08 & STA-09
defined in control CA-7] the same security standards Mapping requirement refer to vendor assesments
regardless of where the system Identified not defined in performed at least annully
component or information system CCM but no reference to
service is aquired. continuous monitoring
SA-4 (9) Acquisition Process | Functions / Ports / Protocols / Services in Use X STA-03 Direct mapping - CCM
CCC-02 control describes
coordination of security
implementation during
design & development
SA-4 (10) Acquisition Process | Use of Approved PIV Products X X No CCM NIST control IAM-09? See notes for IA-8
Mapping has finer (1)
This control also relates to
SA-4 (10)
SA-5 Information System Documentation X X BCR-04

BCR-10
CCC-02
CCC-03
SA-8 Security Engineering Principles X AIS-01

BCR-10
CCC-02
CCC-03
SA-9 External Information System Services X X SA-9a. [FedRAMP Security Controls Baseline(s) CCC-02
if Federal information is processed or stored HRS-06
within the external system] STA-03
SA-9c. [Federal/FedRAMP Continuous STA-05
Monitoring requirements must be met for STA-09
external systems where Federal information is
processed or stored]
SA-9 (1) External Information Systems | Risk Assessments / Organizational Approvals X SA-9 (1) see Additional Requirement and SA-9 (1). Requirement: The service CCC-02
Guidance provider documents all existing GRM-11
outsourced security services and HRS-06
conducts a risk assessment of STA-03
future outsourced security STA-05
services. For JAB authorizations, STA-09
future planned outsourced
services are approved and
accepted by the JAB.
SA-9 (2) External Information Systems | Identification of Functions / Ports / Protocols X SA-9 (2). [All external systems where Federal STA-03 Direct mapping - STA-03
/ Services information is processed, transmitted or control describes
stored] coordination of security
implementation and how it
meets requirements
SA-9 (4) External Information Systems | Consistent Interests of Consumers and X SA-9 (4). [All external systems where Federal STA-05 STA-05 includes a reference
Providers information is processed, transmitted or to "Assessment and
stored] independent verification" of
providers, consistent with
the NIST description of SA-9
(4)
SA-9 (5) External Information Systems | Processing, Storage, and Service Location X SA-9 (5). [information processing, transmission, STA-05 Direct mapping: STA-05
information data, AND information services] includes a reference to
"Physical geographical
location of hosted services"
in the context of
establishing
customer/provider
agreements
SA-10 Developer Configuration Management X SA-10a. [development, implementation, AND SA-10e. Requirement: for JAB BCR-04
operation] authorizations, track security flaws BCR-10
and flaw resolution within the CCC-02
system, component, or service and CCC-03
report findings to organization-
defined personnel, to include
FedRAMP.
SA-10 (1) Developer Configuration Management | Software / Firmware Integrity X CCC-01 CCC-03 refers specifially to
Verification CCC-02 integrity of systems and
CCC-03 services
IVS-02
SA-11 Developer Security Testing and Evaluation X BCR-04

BCR-10
CCC-02
CCC-03
DSI-05
SA-11 (1) Developer Security Testing and Evaluation | Static Code Analysis X Requirement: SA-11 (1) or SA-11 BCR-04
(8) or both BCR-10
Requirement: The service provider CCC-02
documents in the Continuous CCC-03
Monitoring Plan, how newly DSI-05
developed code for the
information system is reviewed.
SA-11 (2) Developer Security Testing and Evaluation | Threat and Vulnerability X TVM-02 TVM-02 requires testnig to
Analyses ensure that vulnerabilities
are identified and
remediated
SA-11 (8) Developer Security Testing and Evaluation | Dynamic Code Analysis X Requirement: SA-11 (1) or SA-11 No CCM Specific
(8) or both Mapping requirement
Requirement: The service provider Identified not defined in
documents in the Continuous CCM
Monitoring Plan, how newly
developed code for the
information system is reviewed.
System and Communications Protection (SC) 4

SC-1 System and Communications Protection Policy and Procedures X X SC-1.b.1 [at least every 3 years] AIS-04
SC-1.b.2 [at least annually] AAC-03
GRM-06
GRM-08
GRM-09
IAM-07
SC-2 Application Partitioning X AIS-01

IVS-08
IVS-09
SC-4 Information In Shared Resources X AIS-01

SC-5 Denial of Service Protection X X AIS-01
TVM-01
SC-6 Resource Availability X AIS-01
SC-7 Boundary Protection X X AIS-01
EKM-03
IVS-06
IVS-09
IVS-12
STA-09
SC-7 (3) Boundary Protection | Access Points X AIS-01

IVS-06
IVS-09
IVS-12
STA-09
SC-7 (4) Boundary Protection | External Telecommunications Services X SC-7 (4). [at least annually] AIS-01
EKM-03
IVS-06
IVS-09
IVS-12
STA-09
SC-7 (5) Boundary Protection | Deny by Default / Allow by Exception X AIS-01

IVS-06
IVS-09
IVS-12
STA-09
SC-7 (7) Boundary Protection | Prevent Split Tunneling for Remote Devices X AIS-01
IVS-06
IVS-09
IVS-12
STA-09
SC-7 (8) Boundary Protection | Route Traffic to Authenticated Proxy Servers X AIS-01
IVS-06
IVS-09
IVS-12
STA-09
SC-7 (12) Boundary Protection | Host-Based Protection X AIS-01

IVS-06
IVS-09
IVS-12
STA-09
SC-7 (13) Boundary Protection | Isolation of Security Tools / Mechanisms / Support X SC-7 (13). Requirement: The AIS-01
Components service provider defines key IVS-06
information security tools, IVS-09
mechanisms, and support IVS-12
components associated with STA-09
system and security administration
and isolates those tools,
mechanisms, and support
components from other internal
information system components
via physically or logically separate
subnets.
SC-7 (18) Boundary Protection | Fail Secure X AIS-01
IVS-06
IVS-09
IVS-12
STA-09
SC-8 Transmission Confidentiality and Integrity X SC-8. [confidentiality AND integrity] AIS-01
AIS-04*
DSI-03
EKM-03
SC-8 (1) Transmission Confidentiality and Integrity | Cryptographic or Alternate X SC-8 (1). [prevent unauthorized disclosure of AIS-01
Physical Protection information AND detect changes to AIS-04*
information] [a hardened or alarmed carrier DSI-03
Protective Distribution System (PDS)] EKM-03
SC-10 Network Disconnect X SC-10. [no longer than 30 minutes for RAS- AIS-01
based sessions or no longer than 60 minutes IAM-12
for non-interactive user sessions]
SC-12 Cryptographic Key Establishment and Management X X SC-12 Guidance: Federally EKM-02
approved cryptography EKM-04
SC-12 (2) Cryptographic Key Establishment and Management | Symmetric Keys X SC-12 (2). [NIST FIPS-compliant] No CCM NIST control Could be EKM-02 & EKM-04
Mapping has finer - see note below for SC-
Identified granularity 12(3)
SC-12 (3) Cryptographic Key Establishment and Management | Asymmetric Keys X No CCM NIST control Not a true mapping, as this
Mapping has finer is a very specific control
Identified granularity which calls for a defined
process of generation,
storage and management of
asymmetric keys. EKM-02
could be a mapping due to
the fact that it specifically
talks about the process of
generation, storage and
management of
cryptographic keys,
however it does not state
whethere this is indicative
of asymmetric or symmetric
key pairings.
EKM-04 - could be a
mapping due to the aspect
that the ambiguity of the
control could be used to
encompass the level of
(class 3) key indicated in
FEDRamp control.
SC-13 Cryptographic Protection X X [FIPS-validated or NSA-approved cryptography] AIS-01

AAC-03
EKM-02
EKM-03
SC-15 Collaborative Computing Devices X X SC-15a. [no exceptions] No CCM Specific IVS-12 - Possibly, no other
Mapping requirement controls found for potential
Identified not defined in mapping (S.A.) IVS-12 could
CCM be a stretch for mapping as
this control seems to be
talking about peripherial
items such as prohibited
use of USB based items or
other peripherial devices
which can present a risk if
improperly utilized on
certain systems.
SC-17 Public Key Infrastructure Certificates X AIS-01

EKM-02
SC-18 Mobile Code X AIS-01
IVS-01
SC-19 Voice Over Internet Protocol X No CCM Specific Direct mapping not found
Mapping requirement (VoIP is not indicated in any
Identified not defined in CCM control)
CCM
SC-20 Secure Name / Address Resolution Service (Authoritative Source) X X IVS-06 Implied from previous
mapping to SC-20 (1) which
NIST has incorporated into
SC-20
SC-21 Secure Name / Address Resolution Service (Recursive or Caching X X IVS-06

Resolver)
SC-22 Architecture and Provisioning for Name / Address Resolution Service X X IVS-06
SC-23 Session Authenticity X EKM-03
SC-28 Protection of Information At Rest X SC-28. [confidentiality AND integrity] SC-28. Guidance: The organization EKM-03
supports the capability to use
cryptographic mechanisms to
protect information at rest.
SC-28 (1) Protection Of Information At Rest | Cryptographic Protection X EKM-02 EKM-02/03 - Could be
EKM-03 considered a true mapping
for this as each control
indicates that the control is
to adhere to the necessity
of preservation of integrity
and confidentiality of data.
SC-39 Process Isolation X X IVS-09 Could be mapped to IVS-09

DCS-08 as the control appears to
match the requirements of
isolation of processes
during runtime in relation
to multi-threading.
DCS-08 may be applicable

due to the literal nature of
the control which states
that personnel should be
isolated from processing
facilities.
Should be noted that theses
controls are also related
This capability is available in
most commercial operating
systems that employ multi-
state processor
technologies. Related
controls: AC-3, AC-4, AC-6,
SA-4, SA-5, SA-8, SC-2, SC-3.
System and Information Integrity (SI) 7

SI-1 System and Information Integrity Policy and Procedures X X SI-1.b.1 [at least every 3 years] AAC-03
SI-1.b.2 [at least annually] CCC-04
DSI-04
GRM-06
GRM-08
GRM-09
IAM-07
TVM-02
SI-2 Flaw Remediation X X SI-2c. [Within 30 days of release of updates] AIS-03

CCC-05
TVM-02
SI-2 (2) Flaw Remediation | Automated Flaw Remediation Status X SI-2 (2). [at least monthly] AIS-03
CCC-05
TVM-02
SI-2 (3) Flaw Remediation | Time to Remediate Flaws / Benchmarks for Corrective X TVM-02 TVM-02 is the only possible
Actions mapping, however it could
be a stretch due to the fact
that it does not define a set
amount of time between
identification and
remediation.
SI-3 Malicious Code Protection X X SI-3.c.1 [at least weekly] [to include endpoints] AIS-03
SI-3.c.2 [to include alerting administrator or CCC-04
defined security personnel] TVM-01
SI-3 (1) Malicious Code Protection | Central Management X AIS-03

CCC-04
TVM-01
SI-3 (2) Malicious Code Protection | Automatic Updates X AIS-03

CCC-04
TVM-01
SI-3 (7) Malicious Code Protection | Nonsignature-Based Detection X No CCM NIST control TVM-01 is a possible
Mapping has finer mapping however it is fairly
Identified granularity ambiguous and does not
directly make a distinction
between signature or
anamoly based malware
detection, the control
simply states malware
detection as an all
encompassing item.
SI-4 Information System Monitoring X X AIS-03

CCC-04
GRM-11
IAM-05
IVS-01
SEF-03
TVM-02
SI-4 (1) Information System Monitoring | System-Wide Intrusion Detection System X IVS-01 IVS-01 is a mapping, as it
IVS-13 indicates adherence "to
applicable legal, statutory
or regulatory compliance
obligations"
IVS-13 is a possible mapping

as this control calls for
detection of network based
attacks which, in theory,
could be indicative of HIDs
or NIDs technologies which
can be placed at either
ingress or egress segments
of the network.
SI-4 (2) Information System Monitoring | Automated Tools For Real-Time Analysis X AIS-03
CCC-04
GRM-11
IAM-05
IVS-01
SEF-03
SI-4 (4) Information System Monitoring | Inbound and Outbound Communications X SI-4 (4). [continually] AIS-03
Traffic CCC-04
GRM-11
IAM-05
IVS-01
SEF-03
SI-4 (5) Information System Monitoring | System-Generated Alerts X SI-4(5) Guidance: In accordance AIS-03
with the incident response plan. CCC-04
GRM-11
IAM-05
SI-4(14) Information System Monitoring | Wireless Intrusion Detection X IVS-01 No CCM NIST control IVS-12 is a possible mapping
SEF-03 Mapping has finer however it may be a stretch
Identified granularity due to the lack of calling
out WIDs distinctly. This
control does call out rogue
devices, therefore making
the mapping a match…
potentially.
DCS-03 may be a match due
to the indication of
identification of authorized
devices, say based on MAC
address which should only
allow authorized devices
(inclusive of wireless) to
connect to the network.
May be a stretch as it does
not specify wireless
distinctly.
SI-4 (16) Information System Monitoring | Correlate Monitoring Information X No CCM NIST control IVS-07 - Although
Mapping has finer ambiguous this could be a
Identified granularity mapping as it indicates the
need to implement
monitoring on all systems
which logically would
indicate the correlation
across multiple systems to
ensure proper reporting.
SEF-04 is a possible
mapping as it indicates the
necessity for monitoring
information, however it
does not indicate any
correlation or
syncronization between
other monitoring
technologies.
SI-4 (23) Information System Monitoring | Host-Based Devices X No CCM Specific IVS-06 - Could be used as a
Mapping requirement mapping however this may
Identified not defined in be a stretch because the
CCM FEDRamp control is
indicating the use of HIDs or
HIPs, with the CCM stating
network and virtualized
environments indicative of
NIDs/WIDs.
SI-5 Security Alerts, Advisories, and Directives X X SI-5a. [to include US-CERT] SEF-01
SI-5c. [to include system security personnel and SEF-03
administrators with configuration/patch- TVM-01
management responsibilities] TVM-02
SI-6 Security Function Verification X SI-6b [to include upon system startup and/or AIS-03
restart at least monthly] CCC-05
SI-6c [to include system administrators and
security personnel]
SI-6d [to include notification of system
administrators and security personnel]
SI-7 Software, Firmware, and Information Integrity X AAC-03 (note Areas implied by previous
3) mappings that have been
AIS-03 incorporated by NIST into
BCR-10 (note SI-7:
2) Note 1: AU-10 (5)
CCC-04 Note 2: CM-6 (3)
CCC-05 Note 3: SA-6
DSI-03 (note Note 4: SA-7
1)
IAM-09 (note
4)
IVS-12 (note
2)
SEF-04 (note
1)
SI-7 (1) Software, Firmware, and Information Integrity | Integrity Checks X SI-7 (1). [Selection to include security relevant STA-05
AIS-03 (note
events and at least monthly] 3)
CCC-04
TVM-01
CCC-05
TVM-01
SI-7 (7) Software, Firmware, and Information Integrity | Integration of Detection and X AIS-03 AIS-03
Response IVS-01 is a mapping as this control
SEF-05 calls for input/output
TVM-02 integrity checks to ensure
prevention of tampering.
IVS-01 is a mapping as this

control indicates the
adherence to applicable
legal, statutory or
regulatory compliance
obligations and providing
unique user access
accountability to detect
potentially suspicious
network behaviors and/or
file integrity anomalies, and
to support forensic
investigative capabilities in
the event of a security
breach.
SEF-05 is a mapping due to
the statements in the
control which indicates the
ability to monitor/quantify
the types, volumes, and
costs of information
security incidents.
TVM-02 appears to be a
mapping based on control
statements in the CCM.
SI-8 Spam Protection X EKM-03

TVM-01
SI-8 (1) Spam Protection | Central Management X No CCM Specific
Mapping requirement
CCM
SI-8 (2) Spam Protection | Automatic Updates X No CCM Specific

Mapping requirement
CCM
SI-10 Information Input Validation X AIS-03

SI-11 Error Handling X AIS-03
SI-12 Information Handling and Retention X X DSI-04
GRM-02
SI-16 Memory Protection X No CCM Specific
Mapping requirement
CCM
TOTAL 33 PERCENTAGE 10.15%

UNMAPPED OF
FEDRAMP UNMAPPED
CONTROLS CONTROLS

CSA CCM v3.0.1-FedRAMP 5.2.15

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSA CCM v3.0.1-FedRAMP 5.2.15

Uploaded by

Copyright:

Available Formats

FedRAMP CLOU

Audit Assurance & AAC-02 Independent reviews and assessments shall be X

Business Continuity BCR-01 A consistent unified framework for business continuity X

Business Continuity BCR-04 Information system documentation (e.g., administrator

Business Continuity BCR-07 Policies and procedures shall be established, and X

Business Continuity BCR-11 Policies and procedures shall be established, and

Datacenter Security DCS-01 Assets must be classified in terms of business criticality, X

Datacenter Security DCS-03 Automated equipment identification shall be used as a X

Governance and Risk GRM-04 An Information Security Management Program (ISMP) X

Governance and Risk GRM-11 Risks shall be mitigated to an acceptable level. X

Human Resources HRS-01 Upon termination of workforce personnel and/or X

Human Resources HRS-05 Policies and procedures shall be established, and X

Human Resources HRS-06 Requirements for non-disclosure or confidentiality

Human Resources HRS-08 Policies and procedures shall be established, and

Human Resources HRS-11 Policies and procedures shall be established to require X

Infrastructure & IVS-10 Secured and encrypted communication channels shall be

Security Incident SEF-02 Policies and procedures shall be established, and X

Security Incident SEF-03 Workforce personnel and external business relationships X

Supply Chain STA-07 Policies and procedures shall be implemented to ensure X

Supply Chain STA-09 Third-party service providers shall demonstrate X

Threat and TVM-01 Policies and procedures shall be established, and

Threat and TVM-02 Policies and procedures shall be established, and

Cloud Service Delivery Model

rvice Delivery Model Scope

Service Tenant / AICPA

(S3.10.0) Design, acquisition, implementation, configuration,

(S3.10.0) Design, acquisition, implementation, configuration,

(S3.2.a) a. Logical access security measures to restrict access

(I3.3.0) The procedures related to completeness, accuracy,

(I3.4.0) The procedures related to completeness, accuracy,

(I3.5.0) There are procedures to enable tracing of information

(S3.4) Procedures exist to protect against unauthorized access

(S4.1.0) The entity’s system security is periodically reviewed

(S4.2.0) There is a process to identify and address potential

(S4.1.0) The entity’s system security is periodically reviewed

(S4.2.0) There is a process to identify and address potential

(x3.1.0) Procedures exist to (1) identify potential threats of

(A3.1.0) Procedures exist to (1) identify potential threats of

(A3.3.0) Procedures exist to provide for backup, offsite storage,

(A3.4.0) Procedures exist to provide for the integrity of backup

(A3.2.0) Measures to prevent or mitigate threats have been

(A3.4.0) Procedures exist to protect against unauthorized

(S3.11.0) Procedures exist to provide that personnel

(A.2.1.0) The entity has prepared an objective description of the

(A3.1.0) Procedures exist to (1) identify potential threats of

(A3.2.0) Measures to prevent or mitigate threats have been

(A3.1.0) Procedures exist to (1) identify potential threats of

(A3.2.0) Measures to prevent or mitigate threats have been

(A3.2.0) Measures to prevent or mitigate threats have been

(A4.1.0) The entity’s system availability and security

(A3.1.0) Procedures exist to (1) identify potential threats of

(A3.3.0) Procedures exist to provide for backup, offsite storage,

(A3.4.0) Procedures exist to provide for the integrity of backup

(A3.3.0) Procedures exist to provide for backup, offsite storage,

(A3.4.0) Procedures exist to provide for the integrity of backup

(I3.20.0) Procedures exist to provide for restoration and

(I3.21.0) Procedures exist to provide for the completeness,

(S3.10.0) Design, acquisition, implementation, configuration,

(S3.13.0) Procedures exist to provide that only authorized,

(S3.10.0) Design, acquisition, implementation, configuration,

(S3.13) Procedures exist to provide that only authorized,

(S3.13) Procedures exist to provide that only authorized,

(A3.6.0) Procedures exist to restrict physical access to the