Professional Documents
Culture Documents
CCM V3.0
Control Domain Updated Control Specification
Control ID Phys
Application & Interface AIS-01 Applications and programming interfaces (APIs) shall be
Security designed, developed, deployed, and tested in
Application Security accordance with leading industry standards (e.g.,
OWASP for web applications) and adhere to applicable
legal, statutory, or regulatory compliance obligations.
Application & Interface AIS-02 Prior to granting customers access to data, assets, and X
Security information systems, identified security, contractual, and
Customer Access regulatory requirements for customer access shall be
Requirements addressed.
Application & Interface AIS-03 Data input and output integrity routines (i.e., reconciliation
Security and edit checks) shall be implemented for application
Data Integrity interfaces and databases to prevent manual or
systematic processing errors, corruption of data, or
misuse.
Application & Interface AIS-04 Policies and procedures shall be established and
Security maintained in support of data security to include
Data Security / Integrity (confidentiality, integrity and availability) across multiple
system interfaces, jurisdictions and business functions to
prevent improper disclosure, alteration, or destruction.
Audit Assurance & AAC-01 Audit plans shall be developed and maintained to X
Compliance address business process disruptions. Auditing plans
Audit Planning shall focus on reviewing the effectiveness of the
implementation of security operations. All audit activities
must be agreed upon prior to executing any audits.
Business Continuity BCR-05 Physical protection against damage from natural causes X
Management & and disasters, as well as deliberate attacks, including fire,
Operational Resilience flood, atmospheric electrical discharge, solar induced
Environmental Risks geomagnetic storm, wind, earthquake, tsunami,
explosion, nuclear accident, volcanic activity, biological
hazard, civil unrest, mudslide, tectonic activity, and other
forms of natural or man-made disaster shall be
anticipated, designed, and have countermeasures
applied.
Business Continuity BCR-06 To reduce the risks from environmental threats, hazards, X
Management & and opportunities for unauthorized access, equipment
Operational Resilience shall be kept away from locations subject to high
Equipment Location probability environmental risks and supplemented by
redundant equipment located at a reasonable distance.
Business Continuity BCR-09 There shall be a defined and documented method for X
Management & determining the impact of any disruption to the
Operational Resilience organization (cloud provider, cloud consumer) that must
Impact Analysis incorporate the following:
• Identify critical products and services
• Identify all dependencies, including processes,
applications, business partners, and third party service
providers
• Understand threats to critical products and services
• Determine impacts resulting from planned or unplanned
disruptions and how these vary over time
• Establish the maximum tolerable period for disruption
• Establish priorities for recovery
• Establish recovery time objectives for resumption of
critical products and services within their maximum
tolerable period of disruption
• Estimate the resources required for resumption
Business Continuity BCR-10 Policies and procedures shall be established, and
Management & supporting business
Operational Resilience processes and technical measures implemented, for
Policy appropriate IT
governance and service management to ensure
appropriate planning,
delivery and support of the organization's IT capabilities
supporting
business functions, workforce, and/or customers based
on industry
acceptable standards (i.e., ITIL v4 and COBIT 5).
Additionally, policies
and procedures shall include defined roles and
responsibilities
supported by regular workforce training.
Change Control & CCC-02 External business partners shall adhere to the same
Configuration policies and procedures for change management,
Management release, and testing as internal developers within the
Outsourced organization (e.g. ITIL service management processes).
Development
Change Control & CCC-03 Organization shall follow a defined quality change control
Configuration and testing process (e.g. ITIL Service Management) with
Management established baselines, testing, and release standards that
Quality Testing focus on system availability, confidentiality, and integrity
of systems and services.
Change Control & CCC-04 Policies and procedures shall be established, and
Configuration supporting business processes and technical measures
Management implemented, to restrict the installation of unauthorized
Unauthorized Software software on organizationally-owned or managed user
Installations end-point devices (e.g., issued workstations, laptops, and
mobile devices) and IT infrastructure network and
systems components.
Change Control & CCC-05 Policies and procedures shall be established for
Configuration managing the risks associated with applying changes to:
Management • business-critical or customer (tenant)-impacting
Production Changes (physical and virtual) applications and system-system
interface (API) designs and configurations
• infrastructure network and systems components
Technical measures shall be implemented to provide
assurance that all changes directly correspond to a
registered change request, business-critical or customer
(tenant) , and/or authorization by, the customer (tenant)
as per agreement (SLA) prior to deployment.
Data Security & DSI-01 Data and objects containing data shall be assigned a
Information Lifecycle classification by the data owner based on data type,
Management value, sensitivity, and criticality to the organization.
Classification
Data Security & DSI-02 Policies and procedures shall be established to inventory,
Information Lifecycle document, and maintain data flows for data that is
Management resident (permanently or temporarily) within the service's
Data Inventory / Flows applications and infrastructure network and systems. In
particular, providers shall ensure that data that is subject
to geographic residency requirements not be migrated
beyond its defined bounds.
Data Security & DSI-03 Data related to electronic commerce (e-commerce) that
Information Lifecycle traverses public networks shall be appropriately classified
Management and protected from fraudulent activity, unauthorized
eCommerce disclosure, or modification in such a manner to prevent
Transactions contract dispute and compromise of data.
Data Security & DSI-04 Policies and procedures shall be established for the
Information Lifecycle labeling, handling, and security of data and objects which
Management contain data. Mechanisms for label inheritance shall be
Handling / Labeling / implemented for objects that act as aggregate containers
Security Policy for data.
Data Security & DSI-05 Production data shall not be replicated or used in non-
Information Lifecycle production environments.
Management
Non-Production Data
Data Security & DSI-06 All data shall be designated with stewardship, with
Information Lifecycle assigned responsibilities defined, documented, and
Management communicated.
Ownership /
Stewardship
Data Security & DSI-07 Any use of customer data in non-production
Information Lifecycle environments requires explicit, documented approval
Management from all customers whose data is affected, and must
Secure Disposal comply with all legal and regulatory requirements for
scrubbing of sensitive data elements.
Datacenter Security DCS-02 Physical security perimeters (e.g., fences, walls, barriers, X
Controlled Access guards, gates, electronic surveillance, physical
Points authentication mechanisms, reception desks, and
security patrols) shall be implemented to safeguard
sensitive data and information systems.
Datacenter Security DCS-05 Policies and procedures shall be established for the X
Off-Site Equipment secure disposal of equipment (by asset type) used
outside the organization's premises. This shall include a
wiping solution or destruction process that renders
recovery of information impossible. The erasure shall
consist of a full overwrite of the drive to ensure that the
erased drive is released to inventory for reuse and
deployment, or securely stored until it can be destroyed.
Datacenter Security DCS-06 Policies and procedures shall be established, and X
Policy supporting business processes implemented, for
maintaining a safe and secure working environment in
offices, rooms, facilities, and secure areas storing
sensitive information.
Datacenter Security - DCS-07 Ingress and egress to secure areas shall be constrained X
Secure Area and monitored by physical access control mechanisms to
Authorization ensure that only authorized personnel are allowed
access.
Datacenter Security DCS-08 Ingress and egress points such as service areas and X
Unauthorized Persons other points where unauthorized personnel may enter the
Entry premises shall be monitored, controlled and, if possible,
isolated from data storage and processing facilities to
prevent unauthorized data corruption, compromise, and
loss.
Datacenter Security DCS-09 Physical access to information assets and functions by X
User Access users and support personnel shall be restricted.
Encryption & Key EKM-01 Keys must have identifiable owners (binding keys to
Management identities) and there shall be key management policies.
Entitlement
Encryption & Key EKM-02 Policies and procedures shall be established for the
Management management of cryptographic keys in the service's
Key Generation cryptosystem (e.g., lifecycle management from key
generation to revocation and replacement, public key
infrastructure, cryptographic protocol design and
algorithms used, access controls in place for secure key
generation, and exchange and storage including
segregation of keys used for encrypted data or sessions).
Upon request, provider shall inform the customer (tenant)
of changes within the cryptosystem, especially if the
customer (tenant) data is used as part of the service,
and/or the customer (tenant) has some shared
responsibility over implementation of the control.
Encryption & Key EKM-03 Policies and procedures shall be established, and
Management supporting business processes and technical measures
Sensitive Data implemented, for the use of encryption protocols for
Protection protection of sensitive data in storage (e.g., file servers,
databases, and end-user workstations), data in use
(memory), and data in transmission (e.g., system
interfaces, over public networks, and electronic
messaging) as per applicable legal, statutory, and
regulatory compliance obligations.
Encryption & Key EKM-04 Platform and data-appropriate encryption (e.g., AES-256)
Management in open/validated formats and standard algorithms shall
Storage and Access be required. Keys shall not be stored in the cloud (i.e. at
the cloud provider in question), but maintained by the
cloud consumer or trusted key management provider.
Key management and key usage shall be separated
Governance and Risk GRM-01 Baseline
duties. security requirements shall be established for X
Management developed or acquired, organizationally-owned or
Baseline Requirements managed, physical or virtual, applications and
infrastructure system and network components that
comply with applicable legal, statutory and regulatory
compliance obligations. Deviations from standard
baseline configurations must be authorized following
change management policies and procedures prior to
deployment, provisioning, or use. Compliance with
security baseline requirements must be reassessed at
least annually unless an alternate frequency has been
established and authorized based on business need.
Governance and Risk GRM-02 Risk assessments associated with data governance
Management requirements shall be
Data Focus Risk conducted at planned intervals and shall consider the
Assessments following:
• Awareness of where sensitive data is stored and
transmitted across
applications, databases, servers, and network
infrastructure
• Compliance with defined retention periods and end-of-
life disposal requirements
• Data classification and protection from unauthorized
use, access, loss, destruction, and falsification
Governance and Risk GRM-03 Managers are responsible for maintaining awareness of,
Management and complying with, security policies, procedures, and
Management Oversight standards that are relevant to their area of responsibility.
Governance and Risk GRM-06 Information security policies and procedures shall be
Management established and
Policy made readily available for review by all impacted
personnel and external
business relationships. Information security policies must
be
authorized by the organization's business leadership (or
other
accountable business role or function) and supported by
a strategic
business plan and an information security management
program inclusive of defined information security roles
and responsibilities for business leadership.
Governance and Risk GRM-07 A formal disciplinary or sanction policy shall be
Management established for employees who have violated security
Policy Enforcement policies and procedures. Employees shall be made
aware of what action might be taken in the event of a
violation, and disciplinary measures must be stated in the
policies and procedures.
Governance and Risk GRM-08 Risk assessment results shall include updates to security X
Management policies,
Policy Impact on Risk procedures, standards, and controls to ensure that they
Assessments remain relevant
and effective.
Governance and Risk GRM-09 The organization's business leadership (or other
Management accountable business
Policy Reviews role or function) shall review the information security
policy at
planned intervals or as a result of changes to the
organization to
ensure its continuing alignment with the security strategy,
effectiveness, accuracy, relevance, and applicability to
legal,
statutory, or regulatory compliance obligations.
Governance and Risk GRM-10 Aligned with the enterprise-wide framework, formal risk X
Management assessments shall be performed at least annually or at
Risk Assessments planned intervals, (and in conjunction with any changes
to information systems) to determine the likelihood and
impact of all identified risks using qualitative and
quantitative methods. The likelihood and impact
associated with inherent and residual risk shall be
determined independently, considering all risk categories
(e.g., audit results, threat and vulnerability analysis, and
regulatory compliance).
Identity & Access IAM-01 Access to, and use of, audit tools that interact with the X
Management organization's information systems shall be appropriately
Audit Tools Access segmented and restricted to prevent compromise and
misuse of log data.
Identity & Access IAM-02 User access policies and procedures shall be X
Management established, and supporting business processes and
Credential Lifecycle / technical measures implemented, for ensuring
Provision Management appropriate identity, entitlement, and access
management for all internal corporate and customer
(tenant) users with access to data and organizationally-
owned or managed (physical and virtual) application
interfaces and infrastructure network and systems
components. These policies, procedures, processes, and
measures must incorporate the following:
• Procedures and supporting roles and responsibilities
for provisioning and de-provisioning user account
entitlements following the rule of least privilege based on
job function (e.g., internal employee and contingent staff
personnel changes, customer-controlled access,
suppliers' business relationships, or other third-party
business relationships)
• Business case considerations for higher levels of
assurance and multi-factor authentication secrets (e.g.,
management interfaces, key generation, remote access,
segregation of duties, emergency access, large-scale
provisioning or geographically-distributed deployments,
and personnel redundancy for critical systems)
• Access segmentation to sessions and data in multi-
tenant architectures by any third party (e.g., provider
and/or other customer (tenant))
• Identity trust verification and service-to-service
application (API) and information processing
interoperability (e.g., SSO and federation)
• Account credential lifecycle management from
instantiation through revocation
• Account credential and/or identity store minimization or
re-use when feasible
• Authentication, authorization, and accounting (AAA)
rules for access to data and sessions (e.g., encryption
and strong/multi-factor, expireable, non-shared
authentication secrets)
Identity & Access IAM-03 User access toand
• Permissions diagnostic and capabilities
supporting configurationforports shall
customer X
Management be restricted to authorized individuals and applications.
(tenant) controls over authentication, authorization, and
Diagnostic / accounting (AAA) rules for access to
Configuration Ports data and sessions
Access • Adherence to applicable legal, statutory, or regulatory
compliance requirements
Identity & Access IAM-04 Policies and procedures shall be established to store and
Management manage identity information about every person who
Policies and accesses IT infrastructure and to determine their level of
Procedures access. Policies shall also be developed to control
access to network resources based on user identity.
Identity & Access IAM-05 User access policies and procedures shall be X
Management established, and supporting business processes and
Segregation of Duties technical measures implemented, for restricting user
access as per defined segregation of duties to address
business risks associated with a user-role conflict of
interest.
Identity & Access IAM-06 Access to the organization's own developed applications,
Management program, or object source code, or any other form of
Source Code Access intellectual property (IP), and use of proprietary software
Restriction shall be appropriately restricted following the rule of least
privilege based on job function as per established user
access policies and procedures.
Identity & Access IAM-07 The identification, assessment, and prioritization of risks X
Management posed by
Third Party Access business processes requiring third-party access to the
organization's
information systems and data shall be followed by
coordinated
application of resources to minimize, monitor, and
measure likelihood
and impact of unauthorized or inappropriate access.
Compensating
controls derived from the risk analysis shall be
implemented prior to
provisioning access.
Identity & Access IAM-08 Policies and procedures are established for permissible
Management storage and
Trusted Sources access of identities used for authentication to ensure
identities are
only accessible based on rules of least privilege and
replication
limitation only to users explicitly defined as business
necessary.
Identity & Access IAM-09 Provisioning user access (e.g., employees, contractors,
Management customers
User Access (tenants), business partners and/or supplier relationships)
Authorization to data and
organizationally-owned or managed (physical and virtual)
applications,
infrastructure systems, and network components shall be
authorized by
the organization's management prior to access being
granted and
appropriately restricted as per established policies and
procedures.
Upon request, provider shall inform customer (tenant) of
this user
access, especially if customer (tenant) data is used as
part the service
and/or customer (tenant) has some shared responsibility
over
implementation of control.
Identity & Access IAM-10 User access shall be authorized and revalidated for X
Management entitlement appropriateness, at planned intervals, by the
User Access Reviews organization's business leadership or other accountable
business role or function supported by evidence to
demonstrate the organization is adhering to the rule of
least privilege based on job function. For identified
access violations, remediation must follow established
user access policies and procedures.
Identity & Access IAM-11 Timely de-provisioning (revocation or modification) of X
Management user access to
User Access data and organizationally-owned or managed (physical
Revocation and virtual)
applications, infrastructure systems, and network
components, shall be
implemented as per established policies and procedures
and based on
user's change in status (e.g., termination of employment
or other
business relationship, job change or transfer). Upon
Identity & Access IAM-12 request, provider or customer (tenant) user account
Internal corporate
Management shall inform customer
credentials shall (tenant)as
be restricted of per
these
thechanges,
following,
User ID Credentials especially if customer
ensuring appropriate identity, entitlement, and access
(tenant)
managementdata is used
and as part the service
in accordance and/or customer
with established policies
(tenant) has
and procedures:
some shared
• Identity trustresponsibility overservice-to-service
verification and implementation of
control.
application (API) and information processing
interoperability (e.g., SSO and Federation)
• Account credential lifecycle management from
instantiation through revocation
• Account credential and/or identity store minimization or
re-use when feasible
• Adherence to industry acceptable and/or regulatory
compliant authentication, authorization, and accounting
(AAA) rules (e.g., strong/multi-factor, expireable, non-
shared authentication secrets)
Identity & Access IAM-13 Utility programs capable of potentially overriding system,
Management object, network, virtual machine, and application controls
Utility Programs shall be restricted.
Access
Infrastructure & IVS-01 Higher levels of assurance are required for protection, X
Virtualization Security retention, and
Audit Logging / lifecyle management of audit logs, adhering to applicable
Intrusion Detection legal,
statutory or regulatory compliance obligations and
providing unique user
access accountability to detect potentially suspicious
network
behaviors and/or file integrity anomalies, and to support
forensic
investigative capabilities in the event of a security breach.
Infrastructure & IVS-02 The provider shall ensure the integrity of all virtual
Virtualization Security machine images at all times. Any changes made to virtual
Change Detection machine images must be logged and an alert raised
regardless of their running state (e.g. dormant, off, or
running). The results of a change or move of an image
and the subsequent validation of the image's integrity
must be immediately available to customers through
electronic methods (e.g. portals or alerts).
Infrastructure & IVS-03 A reliable and mutually agreed upon external time source
Virtualization Security shall be used to synchronize the system clocks of all
Clock Synchronization relevant information processing systems to facilitate
tracing and reconstitution of activity timelines.
Infrastructure & IVS-04 The availability, quality, and adequate capacity and
Virtualization Security resources shall be planned, prepared, and measured to
Information System deliver the required system performance in accordance
Documentation with legal, statutory, and regulatory compliance
obligations. Projections of future capacity requirements
shall be made to mitigate the risk of system overload.
Infrastructure & IVS-05 Implementers shall ensure that the security vulnerability
Virtualization Security assessment
Management - tools or services accommodate the virtualization
Vulnerability technologies used (e.g.
Management virtualization aware).
Infrastructure & IVS-06 Network environments and virtual instances shall be X
Virtualization Security designed and configured to restrict and monitor traffic
Network Security between trusted and untrusted connections. These
configurations shall be reviewed at least annually, and
supported by a documented justification for use for all
allowed services, protocols, and ports, and by
compensating controls.
Infrastructure & IVS-07 Each operating system shall be hardened to provide only
Virtualization Security necessary ports, protocols, and services to meet
OS Hardening and business needs and have in place supporting technical
Base Conrols controls such as: antivirus, file integrity monitoring, and
logging as part of their baseline operating build standard
or template.
Infrastructure & IVS-08 Production and non-production environments shall be X
Virtualization Security separated to prevent unauthorized access or changes to
Production / Non- information assets. Separation of the environments may
Production include: stateful inspection firewalls, domain/realm
Environments authentication sources, and clear segregation of duties
for personnel accessing these environments as part of
their job duties.
Infrastructure & IVS-09 Multi-tenant organizationally-owned or managed X
Virtualization Security (physical and virtual) applications, and infrastructure
Segmentation system and network components, shall be designed,
developed, deployed and configured such that provider
and customer (tenant) user access is appropriately
segmented from other tenant users, based on the
following considerations:
• Established policies and procedures
• Isolation of business critical assets and/or sensitive
user data, and sessions that mandate stronger internal
controls and high levels of assurance
• Compliance with legal, statutory and regulatory
compliance obligations
Infrastructure & IVS-13 Network architecture diagrams shall clearly identify high-
Virtualization Security risk environments and data flows that may have legal
Network Architecture compliance impacts. Technical measures shall be
implemented and shall apply defense-in-depth
techniques (e.g., deep packet analysis, traffic throttling,
and black-holing) for detection and timely response to
network-based attacks associated with anomalous
ingress or egress traffic patterns (e.g., MAC spoofing and
ARP poisoning attacks) and/or distributed denial-of-
service (DDoS) attacks.
Interoperability & IPY-01 The provider shall use open and published APIs to
Portability ensure support for interoperability between components
APIs and to facilitate migrating applications.
Interoperability & IPY-02 All structured and unstructured data shall be available to
Portability the customer and provided to them upon request in an
Data Request industry-standard format (e.g., .doc, .xls, .pdf, logs, and
flat files)
Interoperability & IPY-03 Policies, procedures, and mutually-agreed upon X
Portability provisions and/or terms shall be established to satisfy
Policy & Legal customer (tenant) requirements for service-to-service
application (API) and information processing
interoperability, and portability for application
development and information exchange, usage, and
integrity persistence.
Interoperability & IPY-04 The provider shall use secure (e.g., non-clear text and
Portability authenticated) standardized network protocols for the
Standardized Network import and export of data and to manage the service, and
Protocols shall make available a document to consumers (tenants)
detailing the relevant interoperability and portability
standards that are involved.
Interoperability & IPY-05 The provider shall use an industry-recognized
Portability virtualization platform and standard virtualization formats
Virtualization (e.g., OVF) to help ensure interoperability, and shall have
documented custom changes made to any hypervisor in
use and all solution-specific virtualization hooks available
for customer review.
Mobile Security MOS-01 Anti-malware awareness training, specific to mobile X
Anti-Malware devices, shall be included in the provider's information
security awareness training.
Mobile Security MOS-02 A documented list of approved application stores has X
Application Stores been defined as acceptable for mobile devices accessing
or storing provider managed data.
Mobile Security MOS-03 The company shall have a documented policy prohibiting
Approved Applications the installation of non-approved applications or approved
applications not obtained
Mobile Security MOS-04 through
The BYOD a pre-identified application
policy and supporting store.
awareness training X
Approved Software for clearly states the approved applications, application
BYOD stores, and application extensions and plugins that may
Mobile Security MOS-05 be
Theused for BYOD
provider usage.
shall have a documented mobile device X
Awareness and policy that includes a documented definition for mobile
Training devices and the acceptable usage and requirements for
all mobile devices. The provider shall post and
communicate the policy and requirements through the
company's security awareness and training program.
Mobile Security MOS-06 All cloud-based services used by the company's mobile
Cloud Based Services devices or BYOD
shall be pre-approved for usage and the storage of
Mobile Security MOS-07 company business
The company shall have a documented application
Compatibility data.
validation process to test for mobile device, operating
system, and application compatibility issues.
Mobile Security MOS-08 The BYOD policy shall define the device and eligibility X
Device Eligibility requirements to allow for BYOD usage.
Mobile Security MOS-09 An inventory of all mobile devices used to store and X
Device Inventory access company data shall be kept and maintained. All
changes to the status of these devices (i.e., operating
system and patch levels, lost or decommissioned status,
and to whom the device is assigned or approved for
usage (BYOD)) will be included for each device in the
inventory.
Mobile Security MOS-10 A centralized, mobile device management solution shall X
Device Management be deployed to all mobile devices permitted to store,
transmit, or process customer data.
Mobile Security MOS-11 The mobile device policy shall require the use of
Encryption encryption either for
the entire device or for data identified as sensitive on all
Mobile Security MOS-12 mobile
The mobile device policy shall prohibit the circumvention X
Jailbreaking and devices
of built-inand shall be
security enforced
controls throughdevices
on mobile technology
(e.g.
Rooting controls.
jailbreaking or rooting) and shall enforce the prohibition
through detective and preventative controls on the device
or through a centralized device management system (e.g.
mobile device management).
Mobile Security MOS-13 The BYOD policy includes clarifying language for the
Legal expectation of privacy, requirements for litigation, e-
discovery, and legal holds. The BYOD policy shall clearly
state the expectations regarding the loss of non-company
data in the case a wipe of the device is required.
Mobile Security MOS-14 BYOD and/or company-owned devices are configured to
Lockout Screen require an automatic lockout screen, and the requirement
shall be enforced through technical controls.
Mobile Security MOS-15 Changes to mobile device operating systems, patch
Operating Systems levels, and/or applications shall be managed through the
company's change management processes.
Mobile Security MOS-16 Password policies, applicable to mobile devices, shall be
Passwords documented and enforced through technical controls on
all company devices or devices approved for BYOD
usage, and shall prohibit the changing of password/PIN
lengths and authentication requirements.
Mobile Security MOS-17 The mobile device policy shall require the BYOD user to
Policy perform backups of data, prohibit the usage of
unapproved application stores, and require the use of
anti-malware software (where supported).
Mobile Security MOS-18 All mobile devices permitted for use through the company
Remote Wipe BYOD program or a company-assigned mobile device
shall allow for remote wipe by the company's corporate IT
or shall have all company-provided data wiped by the
company's corporate IT.
Mobile Security MOS-19 Mobile devices connecting to corporate networks, or
Security Patches storing and accessing company information, shall allow
for remote software version/patch validation. All mobile
devices shall have the latest available security-related
patches installed upon general release by the device
manufacturer or carrier and authorized IT personnel shall
be able to perform these updates remotely.
Mobile Security MOS-20 The BYOD policy shall clarify the systems and servers
Users allowed for use or access on a BYOD-enabled device.
Security Incident SEF-01 Points of contact for applicable regulation authorities, X
Management, E- national and local law enforcement, and other legal
Discovery & Cloud jurisdictional authorities shall be maintained and regularly
Forensics updated (e.g., change in impacted-scope and/or a
Contact / Authority change in any compliance obligation) to ensure direct
Maintenance compliance liaisons have been established and to be
prepared for a forensic investigation requiring rapid
engagement with law enforcement.
Security Incident SEF-05 Mechanisms shall be put in place to monitor and quantify X
Management, E- the types, volumes, and costs of information security
Discovery & Cloud incidents.
Forensics
Incident Response
Metrics
Supply Chain STA-01 Providers shall inspect, account for, and work with their
Management, cloud supply-chain partners to correct data quality errors
Transparency and and associated risks. Providers shall design and
Accountability implement controls to mitigate and contain data security
Data Quality and risks through proper separation of duties, role-based
Integrity access, and least-privilege access for all personnel within
their supply chain.
Supply Chain STA-02 The provider shall make security incident information
Management, available to all affected customers and providers
Transparency and periodically through electronic methods (e.g. portals).
Accountability
Incident Reporting
Supply Chain STA-03 Business-critical or customer (tenant) impacting (physical X
Management, and virtual) application and system-system interface
Transparency and (API) designs and configurations, and infrastructure
Accountability network and systems components, shall be designed,
Network / Infrastructure developed, and deployed in accordance with mutually
Services agreed-upon service and capacity-level expectations, as
well as IT governance and service management policies
and procedures.
Supply Chain STA-04 The provider shall perform annual internal assessments X
Management, of conformance to, and effectiveness of, its policies,
Transparency and procedures, and supporting measures and metrics.
Accountability
Provider Internal
Assessments
Supply Chain STA-05 Supply chain agreements (e.g., SLAs) between providers X
Management, and customers (tenants) shall incorporate at least the
Transparency and following mutually-agreed upon provisions and/or terms:
Accountability • Scope of business relationship and services offered
Supply Chain (e.g., customer (tenant) data acquisition, exchange and
Agreements usage, feature sets and functionality, personnel and
infrastructure network and systems components for
service delivery and support, roles and responsibilities of
provider and customer (tenant) and any subcontracted or
outsourced business relationships, physical geographical
location of hosted services, and any known regulatory
compliance considerations)
• Information security requirements, provider and
customer (tenant) primary points of contact for the
duration of the business relationship, and references to
detailed supporting and relevant business processes and
technical measures implemented to enable effectively
governance, risk management, assurance and legal,
statutory and regulatory compliance obligations by all
impacted business relationships
• Notification and/or pre-authorization of any changes
controlled by the provider with customer (tenant) impacts
• Timely notification of a security incident (or confirmed
breach) to all customers (tenants) and other business
relationships impacted (i.e., up- and down-stream
impacted supply chain)
• Assessment and independent verification of
compliance with agreement provisions and/or terms (e.g.,
industry-acceptable certification, attestation audit
report, or equivalent forms of assurance) without posing
an unacceptable business risk of exposure to the
organization being assessed
• Expiration of the business relationship and treatment of
customer (tenant) data impacted
• Customer (tenant) service-to-service application (API)
and data interoperability and portability requirements for
application development and information exchange,
Supply Chain STA-06 Providers
usage, andshall review
integrity the risk management and
persistence X
Management, governance processes of their partners so that practices
Transparency and are consistent and aligned to account for risks inherited
Accountability from other members of that partner's cloud supply chain.
Supply Chain
Governance Reviews
© Copyright 2014 Cloud Security Alliance - All rights reserved. You may download, store,
display on your computer, view, print, and link to the Cloud Security Alliance “Cloud Controls Matrix
(CCM) Version 3.0.1” at http://www.cloudsecurityalliance.org subject to the following: (a) the Cloud
Controls Matrix v3.0.1 may be used solely for your personal, informational, non-commercial use; (b)
the Cloud Controls Matrix v3.0.1 may not be modified or altered in any way; (c) the Cloud Controls
Matrix v3.0.1 may not be redistributed; and (d) the trademark, copyright or other notices may not be
removed. You may quote portions of the Cloud Controls Matrix v3.0.1 as permitted by the Fair Use
provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud
Security Alliance Cloud Controls Matrix Version 3.0.1 (2014). If you are interested in obtaining a
license to this material for other usages not addresses in the copyright notice, please contact
info@cloudsecurityalliance.org.
FedRAMP CLOUD CONTROLS MATRIX v3.0.1 Candidate Mapping
X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X
X X X X X X X X
X X X
X X X
X X X X X X X X
X X X X X
X X X X X X X X
X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X
X X X X X X X X
X X X X X X X
X X X X
X X X X X X X
X X X X X
X X X X X X X
X X X X X X X
X X
X X
X X X X
X X X X X
X X X X X X X X
X X X X X X X
X X X X X
X X
X X X X X X X
X X X X X X X X
X X X X
X X X X X X X X
X X X X X X X
X X X
X X X X X X X X
X X X
X X X
X X X
X X X X X X X X
X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X
X X X X X X X X
X X X
X X X X X X X X
X X X X
X X X X X X X X
X X X X X
X X X X X X X X
X X X X X X X X
X X X X
X X X X X X X
X X X X X X X X
X X X
X X X X X X X X
X X X X X X
X X X X X X X X
X X X
X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X
X X X X X X X
X X X X X X X X
X X X X X
X X X X X X
X X X
X X X X X X X
X X X X
X X X X X X X
X X X X X X X
X X X
X X X X X X X X
X X X X X X X X
X X X X X X X
X X X X X X X
X X X X X X X X
X X X X
X X X X X X X
X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X
X X X
X X X X X X X X
X X X X
X X X X X X X X
X X X X X X
X X X X X
X X X X X X
X X X X X
X X X X X X
X X X X X X
X X X X
X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X X X
X X X X X X
X X X X X X X
X X X X X X
g
X X S3.10.0
S3.10.0
X X X S3.2.a
X X X I3.2.0
I3.3.0
I3.4.0
I3.5.0
X X S3.4
X X S4.1.0
S4.2.0
X X X S4.1.0
S4.2.0
X X X S3.1.0
x3.1.0
X X X A3.1.0
A3.3.0
A3.4.0
X X X A3.3
X X A3.2.0
A3.4.0
X X S3.11.0
A.2.1.0
X X A3.1.0
A3.2.0
X X A3.1.0
A3.2.0
X X A3.2.0
A4.1.0
X X A3.2.0
X X X A3.1.0
A3.3.0
A3.4.0
X X S2.3.0
X X X A3.3.0
A3.4.0
I3.20.0
I3.21.0
X X S3.12.0
S3.10.0
S3.13.0
X X X S3.10.0
S3.13
X X A3.13.0
C3.16.0
I3.14.0
S3.10.0
S3.13
X X A3.6.0
S3.5.0
S3.13.0
X X X A3.16.0
S3.13.0
X X X S3.8.0
C3.14.0
X X X S3.6
I13.3.a-e
I3.4.0
X X X S3.2.a
X X C3.5.0
S3.4.0
C3.21.0
X X S2.2.0
S2.3.0
S3.8.0
X X C3.5.0
S3.4.0
X X S3.1.0
C3.14.0
S1.2.b-c
X X A3.6.0
S3.2.a
X X S3.2.f
C3.9.0
X X X S3.4
X X A3.6.0
X X A3.6.0
X X A3.6.0
X X A3.6.0
X X S3.6.0
S3.4
X X C3.12.0
S3.6.0
S3.4
X X X
X X S1.1.0
S1.2.0(a-i)
X X X S3.1.0
C3.14.0
S1.2.b-c
X X X S1.2.f
S2.3.0
X X X x1.2.
X X S1.3.0
X X X S1.1.0
S1.3.0
S2.3.0
X X X S3.9
S2.4.0
X X X
X X X S1.1.0
X X X S3.1
x3.1.0
S4.3.0
X X X S3.1
x3.1.0
X X X S3.4
X X X S3.11.0
X X X S2.2.0
X X X S3.2.d
S3.8.e
X X X S3.4
X X X S4.1.0
X X X S1.2.f
X X X S1.2
S3.9
X X X S1.2.k
S2.2.0
X X X S2.3.0
X X X S3.3.0
S3.4.0
X X S3.2.g
X X S3.2.0
X X X S3.2.g
X X S3.2.a
X X S3.13.0
X X X S3.1
x3.1.0
X X S3.2.0
S4.3.0
X X X S3.2.0
X X X S3.2.0
X X S3.2.0
X X X S3.2.b
X X X S3.2.g
X X S3.7
X X S3.7
X X X A3.2.0
A4.1.0
X X
X X X S3.4
X X X
X X S3.4
X X X S3.4
X X
X X
X X X S3.4
X X
X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X S4.3.0
x4.4.0
X X X IS3.7.0
S3.9.0
X X X A2.3.0
C2.3.0
I2.3.0
S2.3.0
S2.4
C3.6.0
X X X S2.4.0
C3.15.0
X X X S3.9.0
C4.1.0
X X X C2.2.0
X X
X X X S2.2.0
A3.6.0
C3.6.0
X X
X X
X X
X X S2.2.0
C2.2.0
C3.6
X X X S3.5.0
X X S3.10.0
X X X S3.4.0
S3.10.0
AICPA
Trust Service Criteria (SOC 2SM Report)
CC7.1 I.4
CC5.1
PI1.2 I.4
PI1.3
PI1.5
CC5.6 B.1
CC4.1
CC4.1
CC3.1
CC3.1
A1.2
A1.3
A1.2
A1.1 F.1
A1.2
A1.3
CC1.3
CC1.4
CC2.1
CC3.1 F.1
A1.1
A1.2
CC3.1 F.1
A1.1
A1.2
A1.1
A1.2
CC4.1
A1.1 F.1
A1.2
CC3.1
A1.2
A1.3
CC3.2
A1.2
A1.3
I3.21
CC7.2 I.2
CC7.1
CC7.4
CC7.1 C.2
I.1
CC7.4 I.2
I.4
CC7.1
CC7.1
CC7.1
CC7.1
CC7.4
CC5.5 G.1
I.2
CC5.8
CC7.4
CC7.4
CC7.4
CC3.1
CC3.1
CC5.7 G.4
G.11
G.16
G.18
PI1.5 I.3
I.4
CC5.1 G.13
C1.3
CC5.6
C1.1
CC2.3
CC3.1
C1.3
CC5.6
CC3.1
CC3.1
CC5.5 F.2
CC5.1 D.1
CC5.1
CC5.5
CC5.6 D.1
CC5.5 H.6
CC5.5 F.2
CC5.5 G.21
CC5.5 F.2
CC5.7
CC5.6
CC5.7 G.4
G.15
CC5.6 I.3
CC3.2 L.2
CC3.1
CC3.1
CC3.2 E.1
CC1.2
CC3.2
CC1.2
CC2.3
CC6.2
CC2.5
B.2
G.21
L.2
CC3.2 B.2
CC3.1 I.1
I.4
CC3.3
CC3.1 L.2
CC5.6 D.1
CC1.3 E.2
CC1.4
CC2.2 C.1
CC2.3
CC5.4
CC5.6
CC4.1
B.1
CC3.2 B.3
CC6.2
CC2.2 E.1
CC2.3
CC3.2 E.1
CC5.5 E.1
CC5.6
CC5.1
B.1
CC5.1
CC5.1
CC7.4
CC3.1 B.1
H.2
CC3.3
H.2
CC5.3 B.1
H.5
CC5.1
CC6.2 G.7
G.8
G.9
J.1
L.2
CC6.2 G.7
G.8
A1.1
A1.2
CC4.1
CC5.6 G.2
G.4
G.15
G.16
G.17
G.18
I.3
CC5.6 B.1
CC5.6 G.17
CC5.6 D.1
B.3
F.1
G.4
G.15
G.17
G.18
CC3.3
CC5.5 J.1
CC6.2
CC2.3 J.1
E.1
CC2.5
C1.4
C1.5
CC2.5 J.1
E.1
CC6.2
CC6.2
CC4.1
CC2.2 C.2
CC2.3
CC2.2 C.2
CC2.3
CC5.5
C1.4
C1.5
CC2.2 C.2
CC2.3
C1.4
C1.5
CC5.8
CC7.1 I.4
CC5.6
CC7.1
BITS Shared Assessments
BSI Germany
SIG v6.0
G.16.3, I.3
G.1.1 56 (B)
57 (B)
F.2.19 1 (B)
F.1.6, F.1.6.1, F.1.6.2, F.1.9.2, 54 (A+)
F.2.10, F.2.11, F.2.12
K.2
G.1.1 45 (B)
D.2.2.9 36 (B)
I.1.1, I.1.2, I.2. 7.2, I.2.8, I.2.9,
I.2.10, I.2.13, I.2.14, I.2.15,
I.2.18, I.2.22.6, L.5
D.1.3, D.2.2
G.19.1.1, G.19.1.2, G.19.1.3,
G.10.8, G.9.11, G.14, G.15.1
D.2.2
I.2.18
D.1.1, D.1.3
F.2.18, F.2.19,
F.2.18
L.6 38 (B)
39 (C+)
G.10.4, G.11.1, G.11.2, G.12.1, 23 (B)
G.12.2, G.12.4, G.12.10, 24 (B)
G.14.18, G.14.19, G.16.2, 25 (B)
G.16.18, G.16.19, G.17.16,
G.17.17, G.18.13, G.18.14,
G.19.1.1, G.20.14
C.1 5 (B)
B.1
B.1.5
B.1.33. B.1.34,
C.2.1, I.4.1, I.5, G.15.1.3, I.3 46 (B)
74 (B)
A.1, L.1
E.6.4
E.2 63 (B)
E.3.5 66 (B)
E.6
C.2.5
E.4 65 (B)
66 (B)
E.4
B.1.8, B.1.21, B.1.28, E.6.2, 8 (B)
H.1.1, K.1.4.5, 40 (B)
41 (B)
42 (B)
43 (B)
44 (C+)
H.2.16
G.14.7, G.14.8, G.14.9,
G.14.10,G.14.11, G.14.12,
G.15.5, G.15.7, G.15.8, G.16.8,
G.16.9, G.16.10, G.15.9,
G.17.5, G.17.7, G.17.8, G.17.6,
G.17.9, G.18.2, G.18.3, G.18.5,
G.18.6, G.19.2.6, G.19.3.1,
G.9.6.2, G.9.6.3, G.9.6.4,
G.9.19, H.2.16, H.3.3, J.1, J.2,
L.5, L.9, L.10
G.5
G.9.17, G.9.7, G.10, G.9.11,
G.14.1, G.15.1, G.9.2, G.9.3,
G.9.13
J.1.2 47 (B)
51 (B)
C.2.4,C.2.6, G.4.1, G.4.2, L.2, 60 (B)
L.4, L.7, L.11 62 (C+, A+)
83 (B)
84 (B)
85 (B)
G.7 17 (B)
CO-01
CO-02
Schedule 1 (Section 5) 4.5 - Limiting Use, Disclosure and CO-05
Retention, Subsec. 4.1.3
RS-03
RS-04
OP-04
Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RS-07
RS-02
OP-01
DG-02
--
Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-28
DG-03
DG-06
--
IS-05
Schedule 1 (Section 5), 4.7 - Safeguards RI-02
--
Schedule 1 (Section 5) 4.7 Safeguards, Subs. 4.7.3(b) IS-15
OP-03
--
Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-08
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
CO-04
IS-25
--
--
LG-02
--
--
CO-03
IS-21
DS5.11 APO09.01 312.8 and BOSS > Data Governance > Rules
APO09.02 312.10 for Information Leakage
APO09.03 Prevention
APO13.01
DSS05.02
DSS06.06
MEA03.01
MEA03.02
DS 12.2 APO13.01 312.8 and Infra Services > Facility Security >
DS 12.3 DSS01.01 Controlled Physical Access
DSS01.05
DSS05.05
DSS06.03
DSS06.06
EDM05.02 312.8 and SRM > Facility Security > Asset Han
APO01.02 312.10
APO03.02
BAI02.03
BAI02.04
BAI03.09
BAI06.01
DS 12.3 APO13.01 312.8 and SRM > Policies and Standards >
APO13.02 Information Security Policy (Facility
DSS05.05 Security Policy)
APO13.01 312.8 and SRM > Policies and Standards > Infor
APO13.02 312.10
DSS05.05
DSS06.03
DS 12.3 APO13.01 312.8 and Infra Services > Facility Security >
APO13.02
DSS05.04
DSS05.05
DSS06.03
APO01.06
APO13.01
DSS05.04
DSS05.06
DSS06.03 SRM > Cryptographic Services >
DSS06.06 Key Management
DS5.8 APO13.01 312.8 and SRM > Cryptographic Services >
APO13.02 312.10 Key Management
APO09.03
BAI06.01
BAI09.01
BAI09.02
BAI09.03
DS5.8 APO13.01 312.8 and SRM > Data Protection >
DS5.10 DSS05.02 312.10 Cryptographic Services - Data-At-
DS5.11 DSS05.03 Rest Encryption,
DSS06.06 Cryptographic Services - Data-in-
Transit Encryption
DS5.2 APO01.03 312.8 and SRM > Policies and Standards >
APO01.04 312.10 Information Security Policies
APO13.01
APO13.02
PO 7.7 APO01.03 312.8 and SRM > Governance Risk &
APO01.08 312.10 Compliance >
APO07.04
DS5.3 APO01.03 312.8 and SRM > Policies and Standards >
DS5.4 APO01.08 312.10 Technical Securitry Standards
APO13.02
DSS05.04
DSS06.03
DSS06.06
MEA01.03
DS5.6 APO01.03 312.8 and ITOS > Service Support > Security
APO13.01 312.10 Incident Management
APO13.02
DSS01.03
DSS02.01
DSS02.02
DSS02.04
DSS02.05
DSS02.06
DS5.11
312.3,
APO09.03 312.8 and BOSS > Legal Services >
APO09.05 312.10 Contracts
312.2(a)
and 312.3
(Prohibitio
APO01.08 n on
APO10.05 Disclosure BOSS > Compliance > Third-Party
MEA02.01 ) Audits
DS5.9
APO01.03
APO13.01
APO13.02 312.8 and SRM > Infrastructure Protection
DSS05.01 312.10 Services > Anti-Virus
AI6.1
AI3.3
DS5.9
APO01.03
APO13.01
APO13.02
BAI06.01
BAI06.02
BAI06.03
BAI06.04
DSS01.01
DSS01.02
DSS01.03
DSS03.05
DSS05.01 SRM > Threat and Vulnerability
DSS05.03 312.8 and Management > Vulnerability
DSS05.07 312.10 Management
APO01.03
APO13.01
APO13.02
DSS05.01
DSS05.02 SRM > Infrastructure Protection
DSS05.03 312.8 and Services > End Point - White
DSS05.04 312.10 Listing
rprise Architecture CSA Guidance
ENISA IAF
usted Cloud Initiative) V3.0
Public Private
shared x Domain 10 6.03.01. (c)
shared x Domain 10
shared x Domain 10
shared x Domain 7, 8
shared x None
shared x None 6.03.01. (b)
6.03.01. (d)
shared x None
shared x None 6.03. (a)
shared x Domain 5
shared x Domain 5 6.03. (h)
provider x Domain 8
shared x Domain 11
shared x Domain 2
shared x Domain 2
shared x Domain 2
shared x Domain 2, 4 6.03. (a)
6.08. (a)
shared x Domain 2, 4
provider x Domain 2
shared x None
shared x None
shared x Domain 2
shared x Domain 3
shared x Domain 2
shared x Domain 2
shared x Domain 2 6.01. (c)
6.02. (e)
shared x Domain 2
shared x Domain 2
provider x Domain 2
Domain 12
shared x Domain 2 6.04.01. (d)
6.04.08.02. (a)
shared x Domain 2
shared x Domain 2
shared x Domain 2 6.03.04. (b)
6.03.04. (c)
6.03.05. (d)
6.03.06. (a)
6.04.02. (b)
shared x Domain 2
shared x Domain 10 6.03. (i)
6.03. (j)
6.03.03. (a)
6.03.03. (d)
6.03.04. (e)
6.04.07. (a)
6.07.01. (a)
6.07.01. (c)
provider x Domain 1, 13
provider x Domain 10 6.03.03. (a)
6.03.03. (d)
6.03.04. (d)
6.04.07. (a)
6.07.01. (c)
shared x Domain 1, 13
provider X Domain 1, 13
provider X Domain 1, 13
provider X Domain 10
provider X Domain 6
provider Domain 6
Domain 3 6.04.03. (b)
6.04.08. (a)
6.04.08. (b)
6.06. (a)
6.06. (b)
6.06. (c)
6.06. (d)
6.06. (e)
6.06. (f)
provider
provider x Domain 6
provider X Domain 6
provider X Domain 2
provider Domain 2
shared x
Domain 2
provider x
provider x Domain 3 6.02. (c)
6.02. (d)
6.07.01. (k)
Domain 2
provider x
Domain 2, 4 6.02. (b)
6.02. (d)
shared x
Domain 2 6.03. (f)
shared x
Domain 2 6.03.02. (a)
6.03.02. (b)
6.03.05. (c)
6.07.01. (o)
shared x
Domain 10 6.03. (g)
shared x
FedRAMP CLOUD CONTROLS MATRIX
Article 17
Article 17
Article 17
Article 17 (3)
NIST SP 800-53 R3 CA-3
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 SC-7
Article 17(2)
NIST SP 800-53 R3 SC-5
NIST SP 800-53 R3 SI-3
NIST SP 800-53 R3 SI-5
Article 17
NIST SP 800-53 R3 CM-4
NIST SP 800-53 R3 RA-5
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-5
Article 17
Article 17
LOUD CONTROLS MATRIX v3.0.1 Candidate Mapping
MP-7
MP-7(1)
SC-12
AC-6(5) 99.31.(a)(1)(ii)
SA-10 (1)
-
NIST SP 800-53 R3 CM-7 AC-4 (21)
NIST SP 800-53 R3 CM-7 (1) CA-3
NIST SP 800-53 R3 SC-7 CA-3 (3)
NIST SP 800-53 R3 SC-7 (1) CA-3 (5)
NIST SP 800-53 R3 SC-7 (2) CA-9
NIST SP 800-53 R3 SC-7 (3) CM-7
NIST SP 800-53 R3 SC-7 (4) CM-7 (1)
NIST SP 800-53 R3 SC-7 (5) CM-7 (2)
NIST SP 800-53 R3 SC-7 (7) SC-7
NIST SP 800-53 R3 SC-7 (8) SC-7 (3)
NIST SP 800-53 R3 SC-7 (12) SC-7 (4)
NIST SP 800-53 R3 SC-7 (13) SC-7 (5)
NIST SP 800-53 R3 SC-7 (18) SC-7 (7)
NIST SP 800-53 R3 SC-20 (1) SC-7 (8)
NIST SP 800-53 R3 SC-21 SC-7 (12)
NIST SP 800-53 R3 SC-22 SC-7 (13)
NIST SP 800-53 R3 SC-30 SC-7 (18)
NIST SP 800-53 R3 SC-32 SC-20
SC-21
SC-22
CA-3
AC-6 (5)
CA-3
CA-3 (3)
CA-3 (5)
CA-9
RA-5 (8)
SI-4 (1)
MP-7
MP-7 (1)
AC-19 (5)
NIST SP 800-53 R3 IR-6 IR-6
NIST SP 800-53 R3 IR-6 (1) IR-6 (1)
NIST SP 800-53 R3 SI-5 IR-9
SI-5
IR-9 (1)
1.2.2 A.6.2.1
1.2.6 A.6.2.2
6.2.1 A.11.1.1
6.2.2
1.2.6 45 CFR 164.312 (c)(1) A.10.9.2
45 CFR 164.312 (c)(2) A.10.9.3
45 CFR 164.312(e)(2)(i) A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.6.1
A.15.2.1
1.1.0 A.10.8.1
1.2.2 A.10.8.2
1.2.6 A.11.1.1
4.2.3 A.11.6.1
5.2.1 A.11.4.6
7.1.2 A.12.3.1
7.2.1 A.12.5.4
7.2.2 A.15.1.4
7.2.3
7.2.4
8.2.1
8.2.2
8.2.3
8.2.5
9.2.1
A.9.2.2
A.9.2.3
A.6.1.8
A.6.2.1
A.6.2.3
A.10.1.4
A.10.2.1
A.10.2.2
A.10.2.3
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
9.1.0 A.6.1.3
9.1.1 A.10.1.1
9.2.1 A.10.1.4
9.2.2 A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2
3.2.4 A.10.1.3
8.2.2 A.10.4.1
A.11.5.4
A.11.6.1
A.12.4.1
A.12.5.3
1.2.6 45 CFR 164.308 (a)(5)(ii)(C) A.10.1.4
45 CFR 164.312 (b) A.12.5.1
A.12.5.2
1.2.3 A.7.2.1
1.2.6
4.1.2
8.2.1
8.2.5
8.2.6
3.2.4 45 CFR 164.312(e)(1) A.7.2.1
4.2.3 45 CFR 164.312(e)(2)(i) A.10.6.1
7.1.2 A.10.6.2
7.2.1 A.10.9.1
7.2.2 A.10.9.2
8.2.1 A.15.1.4
8.2.5
1.1.2 A.7.2.2
5.1.0 A.10.7.1
7.1.2 A.10.7.3
8.1.0 A.10.8.1
8.2.5
8.2.6
8.2.3 A.9.1.1
A.9.1.2
A.11.4.3
8.2.3 A.9.1.6
8.2.3 A.9.1.1
1.2.6 A.12.1.1
8.2.1 A.15.2.2
8.2.7
Clause 4.2.3
Clause 4.2.4
Clause 4.3.1
Clause 5
Clause 7
A.5.1.2
A.10.1.2
A.10.2.3
A.14.1.2
A.15.2.1
A.15.2.2
8.2.1 A.15.3.2
8.1.0 45 CFR 164.308 (a)(3)(i) A.11.1.1
45 CFR 164.312 (a)(1) A.11.2.1
45 CFR 164.312 (a)(2)(ii) A.11.2.4
45 CFR 164.308(a)(4)(ii)(B) A.11.4.1
45 CFR 164.308(a)(4)(ii)(c ) A.11.5.2
A.11.6.1
A.10.6.1
A.11.1.1
A.11.4.4
A.11.5.4
8.2.2 45 CFR 164.308 (a)(1)(ii)(D) A.10.1.3
45 CFR 164.308 (a)(3)(ii)(A)
45 CFR 164.308(a)(4)(ii)(A)
45 CFR 164.308 (a)(5)(ii)(C)
45 CFR 164.312 (b)
7.1.1 A.6.2.1
7.1.2 A.8.3.3
7.2.1 A.11.1.1
7.2.2 A.11.2.1
7.2.3 A.11.2.4
7.2.4
8.2.2 45 CFR 164.308 (a)(3)(i) A.11.2.1
45 CFR 164.308 (a)(3)(ii)(A) A.11.2.2
45 CFR 164.308 (a)(4)(i) A.11.4.1
45 CFR 164.308 (a)(4)(ii)(B) A 11.4.2
45 CFR 164.308 (a)(4)(ii)(C) A.11.6.1
45 CFR 164.312 (a)(1)
A.11.4.1
A 11.4.4
A.11.5.4
8.2.1 45 CFR 164.308 (a)(1)(ii)(D) A.10.10.1
8.2.2 45 CFR 164.312 (b) A.10.10.2
45 CFR 164.308(a)(5)(ii)© A.10.10.3
A.10.10.4
A.10.10.5
A.11.2.2
A.11.5.4
A.11.6.1
A.13.1.1
A.13.2.3
A.15.2.2
A.15.1.3
A.10.10.1
A.10.10.6
1.2.4 A.10.3.1
8.2.5 A.10.6.1
A.10.6.2
A.10.9.1
A.10.10.2
A.11.4.1
A.11.4.5
A.11.4.6
A.11.4.7
A.15.1.4
1.2.6 A.10.1.4
A.10.3.2
A.11.1.1
A.12.5.1
A.12.5.2
A.12.5.3
8.2.2 A.6.2.3
8.2.5 A.10.6.2
1.2.5 45 CFR 164.308 (a)(4)(ii)(A) A.6.2.3
45 CFR 164.308 (b)(1) A10.2.1
45 CFR 164.308 (b)(2)(i) A.10.8.2
45 CFR 164.308 (b)(2)(ii) A.11.4.6
45 CFR 164.308 (b)(2)(iii) A.11.6.1
45 CFR 164.308 (b)(3) A.12.3.1
45 CFR 164.308 (b)(4) A.12.5.4
45 CFR 164.312(e)(2)(i)
45 CFR 164.312 (c)(1)
45 CFR 164.312(e)(2)(ii)
45 CFR 164.314 (a)(1)(i)
45 CFR 164.314 (a)(1)(ii)(A)
45 CFR 164.314 (a)(2)(i)
45 CFR 164.314 (a)(2)(i)(A)
45 CFR 164.314 (a)(2)(i)(B)
45 CFR 164.314 (a)(2)(i)(C)
45 CFR 164.314 (a)(2)(i)(D)
45 CFR 164.314 (a)(2)(ii)(A)
45 CFR 164.314 (a)(2)(ii)(A)(1)
45 CFR 164.314 (a)(2)(ii)(A)(2)
45 CFR 164.314 (a)(2)(ii)(B)
45 CFR 164.314 (a)(2)(ii)(C)
45 CFR 164.314 (b)(1)
45 CFR 164.314 (b)(2)
45 CFR 164.314 (b)(2)(i)
45 CFR 164.314 (b)(2)(ii)
45 CFR 164.314 (b)(2)(iii)
45 CFR 164.314 (b)(2)(iv)
1.2.11 45 CFR 164.308(b)(1) A.6.2.3
4.2.3 45 CFR 164.308 (b)(4) A.10.2.1
7.2.4 A.10.2.2
10.2.3 A.10.6.2
10.2.4
A9.4.2 Commandment #1
A9.4.1, Commandment #2
8.1*Partial, A14.2.3, Commandment #4
8.1*partial, A.14.2.7 Commandment #5
A12.6.1, Commandment #11
A18.2.2
A9.1.1. Commandment #6
Commandment #7
Commandment #8
A13.2.1, Commandment #1
A13.2.2, Commandment #9
A9.1.1, Commandment #11
A9.4.1,
A10.1.1
A18.1.4
A13.2.1, All
A13.2.2,
A9.1.1,
A9.4.1,
A10.1.1
A18.1.4
Clauses Commandment #1
4.3(a), Commandment #2
4.3(b), Commandment #3
5.1(e),
5.1(f),
6.2(e),
9.1,
9.1(e),
9.2,
9.3(f),
Clauses Commandment #1
A12.7.1
4.3(a), Commandment #2
4.3(b), Commandment #3
5.1(e),
5.1(f),
9.1,
9.2,
9.3(f),
A18.2.1
Clauses Commandment #1
4.2(b), Commandment #2
4.4, Commandment #3
5.2(c),
5.3(ab),
6.1.2,
6.1.3,
6.1.3(b),
7.5.3(b),
7.5.3(d),
8.1,
8.3
9.2(g),
9.3,
9.3(b),
9.3(f),
10.2,
A.8.2.1,
A.18.1.1,
A.18.1.3,
A.18.1.4,
A.18.1.5
A11.2.2, Commandment #1
A11.2.3 Commandment #2
Commandment #3
Commandment #4
Commandment #9
Commandment #11
A11.1.4, Commandment #1
A11.2.1 Commandment #2
Commandment #3
A11.2.1 Commandment #1
Commandment #2
Commandment #3
A11.2.4 Commandment #2
Commandment #5
Commandment #11
A.11.2.2, Commandment #1
A.11.2.3, Commandment #2
A.11.2.4 Commandment #3
A.17.1.1 Commandment #1
A.17.1.2 Commandment #2
Commandment #3
Clause 5.1(h) Commandment #1
A.6.1.1 Commandment #2
A.7.2.1 Commandment #3
A.7.2.2 Commandment #6
A.12.1.1 Commandment #7
A18.2.1 Commandment #1
A.15.1.2 Commandment #2
A.12.1.4 Commandment #3
8.1* (partial)
8.1* (partial) A.15.2.1
8.1* (partial) A.15.2.2
A.14.2.9
A.14.1.1
A.12.5.1
A.14.3.1
A.9.4.5
8.1* (partial) A.14.2.2
8.1* (partial) A.14.2.3
8.1* (partial) A.14.2.4
8.1* (partial) A.14.2.7
A.12.6.1
A.16.13
A.18.2.2
A.18.2.3
A.6.1.1 Commandment #1
A.12.1.1 Commandment #2
A.12.1.4 Commandment #3
A.14.2.9
A.14.1.1
A.12.5.1
A.14.3.1
A.9.4.5
8.1* partial A.14.2.2
8.1* partial A.14.2.3
8.1* partial A.14.2.4
A.12.6.1
A.16.1.3
A.18.2.2
A.18.2.3
A.6.1.2 Commandment #1
A.12.2.1 Commandment #2
A.9.4.4 Commandment #3
A.9.4.1 Commandment #5
A.12.5.1 Commandment #11
8.1* (partial) A.14.2.4
A.12.1.4 Commandment #1
8.1* (partial) A.14.2.2 Commandment #2
8.1* (partial) A.14.2.3 Commandment #3
Commandment #11
A.8.2.1 Commandment #9
Clause
4.2
5.2,
7.5,
8.1
A.8.2.1 Commandment #4
A.13.1.1 Commandment #5
A.13.1.2 Commandment #9
A.14.1.2 Commandment #10
A.14.1.3 Commandment #11
A.18.1.4
A.8.2.2 Commandment #8
A.8.3.1 Commandment #9
A.8.2.3 Commandment #10
A.13.2.1
A.8.1.3 Commandment #9
A.12.1.4 Commandment #10
A.14.3.1 Commandment #11
8.1* (partial) A.14.2.2.
A.6.1.1 Commandment #6
A.8.1.2 Commandment #10
A.18.1.4
A.11.2.7 Commandment #11
A.8.3.2
Annex A.8
A.11.1.1 Commandment #1
A.11.1.2 Commandment #2
Commandment #3
Commandment #5
Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #8
A.11.2.6 ITAR 22 Commandment #4
A.11.2.7 CFR § Commandment #5
120.17 Commandment #11
EAR 15 CFR
§736.2 (b)
A.8.1.1 Commandment #6
A.8.1.2 Commandment #7
Commandment #8
A.11.1.1 Commandment #1
A.11.1.2 Commandment #2
Commandment #3
Commandment #5
A.11.1.6 Commandment #1
Commandment #2
Commandment #3
Commandment #5
A.11.2.5 Commandment #6
8.1* (partial) A.12.1.2 Commandment #7
Annex
A.10.1
A.10.1.1
A.10.1.2
Clauses Commandment #9
5.2(c) Commandment #10
5.3(a) Commandment #11
5.3(b)
7.5.3(b)
7.5.3(d)
8.1
8.3
9.2(g)
A.8.2.3
A.10.1.2
A.18.1.5
A.13.1.1 Commandment #4
A.8.3.3 Commandment #5
A.13.2.3 Commandment #9
A.14.1.3 Commandment #10
A.14.1.2 Commandment #11
A.10.1.1
A.18.1.3
A.18.1.4
Annex
A.10.1
A.10.1.1
A.10.1.2
A.14.1.1 Commandment #2
A.18.2.3 Commandment #4
Commandment #5
Commandment #11
Clause
4.2.1 a,
4.2(b)
4.3 c,
4.3(a&b)
4.4
5.1(c)
5.1(d)
5.1(e)
5.1(f)
5.1(g)
5.1(h)
5.2
5.2 e,
5.2(f)
5.3
6.1.1(e)(2),
6.1.2(a)(1)
6.2
6.2(a)
Clause 8.1 Commandment #1
6.2(d)
A.5.1.2 Commandment #2
6.2 e, Commandment #3
6.12 (a) (2),
7.1
7.2(a),
7.2(b)
7.2(c)
7.2(d)
7.3(b),
7.3(c)
7.4
7.5.1 (a)
8.1*, partial
8.2
9.1
9.1 e,
9.2,
9.3
9.3(a)
9.3(b&f)
9.3(c),
9.3(c)(1)
9.3(c)(2),
9.3(c)(3)
9.3(d)
9.3(e)
10.1(c)
10.2,
A.5.1.2
A.12.1.2
A.15.2.2
A.17.1.1
A.18.2.2
A.18.2.3
Clause
4.2(b),
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
Clause
6.1.3(a)
6.1.1,
6.1.3(b)
6.1.1(e)(2)
8.1
6.1.2
9.3(a),
6.1.2(a)(1)
9.3(b)
6.1.2(a)(2),
9.3(b)(f)
6.1.2(b)
9.3(c)(c)
6.1.2
9.3(c)(1)
6.1.2(c)(1),
9.3(c)(2)
6.1.2(c)(2)
9.3(c)(3)
6.1.2(d)
9.3(d)
6.1.2(d)(1)
9.3(e)
6.1.2(d)(2)
9.3(f)
6.1.2(d)(3)
A.14.2.3
6.1.2(e)
A.12.6.1
6.1.2(e)(1)
A.17.1.1
6.1.2(e)(2)
A.18.1.1
6.1.3,
A.18.2.2
6.1.3(a)
A.18.2.3
6.1.3(b)
8.3
A.8.1.1
9.3(a),
A.8.1.2
9.3(b)
A.8.1.4
9.3(b)(f)
9.3(c)
9.3(c)(1)
A.7.1.1 ITAR 22 Commandment #2
9.3(c)(2) CFR § Commandment #3
9.3(c)(3) 120.17 Commandment #6
9.3(d) EAR 15 CFR Commandment #9
9.3(e) §736.2 (b)
9.3(f)
A.13.2.4
A.12.6.1 ITAR 22 Commandment #6
A.7.1.2
A.17.1.1 CFR § Commandment #7
A.18.2.2 120.17
A.18.2.3 EAR 15 CFR
§736.2 (b)
A.7.3.1 Commandment #6
Commandment #7
A.8.1.3 Commandment #1
Commandment #2
Commandment #3
Clause 7.2(a), 7.2(b) Commandment #3
A.7.2.2 Commandment #6
Commandment #2
Commandment #5
Commandment #11
A.9.1.1 ITAR 22 Commandment #6
A.9.2.1, CFR § Commandment #7
A.9.2.2 120.17 Commandment #8
A.9.2.5 EAR 15 CFR
A.9.1.2 §736.2 (b)
A.9.4.1
A.13.1.1 Commandment #3
A.9.1.1 Commandment #4
A.9.4.4 Commandment #5
Commandment #6
Commandment #7
Commandment #8
Annex
A.9.2
A.9.2.1
A.9.2.2
A.9.2.3,
A.9.2.4,
A.9.2.5,
A.9.2.6
A.6.1.2 Commandment #6
Commandment #7
Commandment #8
Commandment #10
A.9.2.6 Commandment #6
A.9.1.1 Commandment #7
A.9.2.1, A.9.2.2 Commandment #8
A.9.2.4 Commandment #9
A.9.2.5
A.9.4.2
A.9.1.2 Commandment #1
Deleted Commandment #5
A.9.4.4 Commandment #6
Commandment #7
A.12.4.1 Commandment #6
A.12.4.1 Commandment #7
A.12.4.2, A.12.4.3 Commandment #11
A.12.4.3
A.12.4.1
A.9.2.3
A.9.4.4
A.9.4.1
A.16.1.2
A.16.1.7
A.18.2.3
A.18.1.3
Annex
A.12.1.2
A.12.4,
A.12.4.1,
A.12.4.2,
A.12.4.3,
A.12.6.1,
A.12.6.2,
A.12.4.1
A.16.1.1,
A.12.4.4
A.16.1.2,
A.16.1.3,
A.16.1.4,
A.16.1.5,
A.16.1.6,
A.12.1.3
A.16.1.7 Commandment #1
Commandment #2
Commandment #3
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
A.13.1.1 Commandment #1
A.13.1.2 Commandment #2
A.14.1.2 Commandment #3
A.12.4.1 Commandment #9
A.9.1.2 Commandment #10
A.13.1.3 Commandment #11
A.18.1.4
Annex
A.12.1.4
A.12.2.1
A.12.4.1
A.12.6.1
A.12.1.4 Commandment #1
A.14.2.9 Commandment #10
A.9.1.1 Commandment #11
8.1,partial, A.14.2.2
8.1,partial, A.14.2.3
8.1,partial, A.14.2.4
A.13.1.3 Commandment #1
A.9.4.1 Commandment #2
A.18.1.4 Commandment #3
Commandment #9
Commandment #10
Commandment #11
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
A.8.1.1
6.1.2 (c) Commandment #1
A.8.1.2
6.1.2(c)(1), Commandment #2
A.8.1.3
6.1.2(c)(2) Commandment #3
A.11.2.1
6.1.2(d) Commandment #4
A.11.2.4
6.1.2(d)(1) Commandment #5
A.13.1.1
6.1.2(d)(2) Commandment #9
A.13.1.2
6.1.2(d)(3) Commandment #10
A.13.2.1
6.1.2(e) Commandment #11
A.8.3.3
6.1.2(e)(1)
A.12.4.1
6.1.2(e)(2)
A.9.2.1,
6.1.3, A.9.2.2
A.13.1.3
6.1.3(a)
A.10.1.1
6.1.3(b)
A.10.1.2
8.1
8.3
9.3(a),
9.3(b)
9.3(b)(f)
9.3(c)
9.3(c)(1)
9.3(c)(2)
9.3(c)(3)
9.3(d)
9.3(e)
9.3(f)
A.14.2.3
A.12.6.1
A.18.1.1
A.18.2.2
A.18.2.3
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
Clause
6.1.2(a)(1)
6.1.1,
6.1.2(a)(2),
6.1.1(e)(2)
6.1.2(b)
6.1.2
6.1.2 (c)
6.1.2(a)(1)
6.1.2(c)(1),
6.1.2(a)(2),
6.1.2(c)(2)
6.1.2(b)
6.1.2(d)
6.1.2 (c)
6.1.2(d)(1)
6.1.2(c)(1),
6.1.2(d)(2)
6.1.2(c)(2)
6.1.2(d)(3)
6.1.2(d)
6.1.2(e)
6.1.2(d)(1)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
6.1.2 (c)
6.1.2(c)(1),
6.1.2(c)(2)
6.1.2(d)
Clause
6.1.2(d)(1)
6.1.1,
6.1.2(d)(2)
6.1.1(e)(2)
6.1.2(d)(3)
6.1.2
6.1.2(e)
6.1.2(a)(1)
6.1.2(e)(1)
6.1.2(a)(2),
Clause
6.1.2(e)(2)
6.1.2(b)
6.1.1,
6.1.3,
6.1.2 (c)
6.1.1(e)(2)
6.1.3(a)
6.1.2(c)(1),
6.1.2
6.1.3(b)
6.1.2(c)(2)
6.1.2(a)(1)
8.1
6.1.2(d)
6.1.2(a)(2),
8.3
6.1.2(d)(1)
Clause
6.1.2(b)
9.3(a),
6.1.2(d)(2)
6.1.1,
6.1.2
9.3(b) (c)
6.1.2(d)(3)
6.1.1(e)(2)
6.1.2(c)(1),
9.3(b)(f)
6.1.2(e)
6.1.2
6.1.2(c)(2)
9.3(c)
Clause
6.1.2(e)(1)
6.1.2(a)(1)
6.1.2(d)
9.3(c)(1)
6.1.1,
6.1.2(e)(2)
6.1.2(a)(2),
6.1.2(d)(1)
9.3(c)(2)
6.1.1(e)(2)
6.1.3,
6.1.2(b)
6.1.2(d)(2)
9.3(c)(3)
6.1.2
6.1.3(a)
6.1.2
9.3(d)(c)
6.1.2(d)(3)
6.1.2(a)(1)
6.1.3(b)
Clause
6.1.2(c)(1),
6.1.2(e)
9.3(e)
6.1.2(a)(2),
8.1
6.1.1,
6.1.2(c)(2)
6.1.2(e)(1)
9.3(f)
6.1.2(b)
8.3
6.1.1(e)(2)
6.1.2(d)
6.1.2(e)(2)
A.14.2.3
6.1.2 (c)
9.3(a),
6.1.2
6.1.2(d)(1)
6.1.3,
A.12.6.1
Clause
6.1.2(c)(1),
9.3(b)
6.1.2(a)(1)
6.1.2(d)(2)
6.1.3(a)
A.18.1.1
6.1.1,
6.1.2(c)(2)
9.3(b)(f)
6.1.2(a)(2),
6.1.2(d)(3)
6.1.3(b)
A.18.2.2
6.1.1(e)(2)
6.1.2(d)
9.3(c)
6.1.2(b)
6.1.2(e)
8.1
A.18.2.3
6.1.2
6.1.2(d)(1)
9.3(c)(1)
Clause
6.1.2 (c)
6.1.2(e)(1)
8.3
6.1.2(a)(1)
6.1.2(d)(2)
9.3(c)(2)
6.1.1,
6.1.2(c)(1),
6.1.2(e)(2)
9.3(a),
6.1.2(a)(2),
6.1.2(d)(3)
9.3(c)(3)
6.1.1(e)(2)
6.1.2(c)(2)
6.1.3,
9.3(b)
6.1.2(b)
6.1.2(e)
9.3(d)
6.1.2
6.1.2(d)
6.1.3(a)
9.3(b)(f)
6.1.2 (c)
6.1.2(e)(1)
9.3(e)
6.1.2(a)(1)
6.1.2(d)(1)
6.1.3(b)
9.3(c)
6.1.2(c)(1),
6.1.2(e)(2)
9.3(f)
6.1.2(a)(2),
6.1.2(d)(2)
8.1
9.3(c)(1)
6.1.2(c)(2)
6.1.3,
Clause
A.14.2.3
6.1.2(b)
6.1.2(d)(3)
8.3
9.3(c)(2)
6.1.2(d)
6.1.3(a)
6.1.1,
A.12.6.1
6.1.2 (c)
6.1.2(e)
9.3(a),
9.3(c)(3)
6.1.2(d)(1)
6.1.3(b)
6.1.1(e)(2)
A.18.1.1
6.1.2(c)(1),
6.1.2(e)(1)
9.3(b)
9.3(d)
6.1.2(d)(2)
8.1
6.1.2
A.18.2.2
6.1.2(c)(2)
Clause
6.1.2(e)(2)
9.3(b)(f)
9.3(e)
6.1.2(d)(3)
8.3
6.1.2(a)(1)
A.18.2.3
6.1.2(d)
6.1.1,
6.1.3,
9.3(c)
9.3(f)
6.1.2(e)
9.3(a),
6.1.2(a)(2),
6.1.2(d)(1)
6.1.1(e)(2)
6.1.3(a)
9.3(c)(1)
A.14.2.3
6.1.2(e)(1)
9.3(b)
6.1.2(b)
6.1.2(d)(2)
6.1.2
6.1.3(b)
9.3(c)(2)
A.12.6.1
Clause
6.1.2(e)(2)
9.3(b)(f)
6.1.2 (c)
6.1.2(d)(3)
6.1.2(a)(1)
8.1
9.3(c)(3)
A.18.1.1
6.1.1,
6.1.3,
9.3(c)
6.1.2(c)(1),
6.1.2(e)
6.1.2(a)(2),
8.3
9.3(d)
A.18.2.2
6.1.1(e)(2)
6.1.3(a)
9.3(c)(1)
6.1.2(c)(2)
Clause
6.1.2(e)(1)
6.1.2(b)
9.3(a),
9.3(e)
A.18.2.3
6.1.2
6.1.3(b)
9.3(c)(2)
6.1.2(d)
6.1.1,
6.1.2(e)(2)
6.1.2
9.3(b)
9.3(f) (c)
6.1.2(a)(1)
8.1
9.3(c)(3)
6.1.2(d)(1)
6.1.1(e)(2)
6.1.3,
6.1.2(c)(1),
9.3(b)(f)
A.14.2.3
6.1.2(a)(2),
8.3
9.3(d)
6.1.2(d)(2)
6.1.2
6.1.3(a)
6.1.2(c)(2)
9.3(c)
A.12.6.1
6.1.2(b)
9.3(a),
9.3(e)
6.1.2(d)(3)
6.1.2(a)(1)
6.1.3(b)
6.1.2(d)
9.3(c)(1)
A.18.1.1
6.1.2
9.3(b)
9.3(f) (c)
6.1.2(e)
6.1.2(a)(2),
8.1
6.1.2(d)(1)
9.3(c)(2)
A.18.2.2
6.1.2(c)(1),
9.3(b)(f)
A.14.2.3
6.1.2(e)(1)
6.1.2(b)
8.3
6.1.2(d)(2)
9.3(c)(3)
A.18.2.3
6.1.2(c)(2)
9.3(c)
A.12.6.1
6.1.2(e)(2)
6.1.2 (c)
9.3(a),
6.1.2(d)(3)
9.3(d)
6.1.2(d)
9.3(c)(1)
A.18.1.1
6.1.3,
6.1.2(c)(1),
9.3(b)
6.1.2(e)
9.3(e)
6.1.2(d)(1)
9.3(c)(2)
A.18.2.2
6.1.3(a)
6.1.2(c)(2)
9.3(b)(f)
6.1.2(e)(1)
9.3(f)
6.1.2(d)(2)
9.3(c)(3)
A.18.2.3
6.1.3(b)
6.1.2(d)
9.3(c)
6.1.2(e)(2)
A.14.2.3
6.1.2(d)(3)
9.3(d)
8.1
6.1.2(d)(1)
9.3(c)(1)
6.1.3,
A.12.6.1
6.1.2(e)
9.3(e)
8.3
6.1.2(d)(2)
9.3(c)(2)
6.1.3(a)
A.18.1.1
6.1.2(e)(1)
9.3(f)
9.3(a),
6.1.2(d)(3)
9.3(c)(3)
6.1.3(b)
A.18.2.2
6.1.2(e)(2)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
Clause
6.1.2(a)(1)
6.1.1,
6.1.2(a)(2),
6.1.1(e)(2)
6.1.2(b)
6.1.2
Clause
6.1.2 (c)
6.1.2(a)(1)
6.1.1,
6.1.2(c)(1),
6.1.2(a)(2),
6.1.1(e)(2)
6.1.2(c)(2)
6.1.2(b)
6.1.2
6.1.2(d)
6.1.2 (c)
6.1.2(a)(1)
6.1.2(d)(1)
6.1.2(c)(1),
6.1.2(a)(2),
6.1.2(d)(2)
6.1.2(c)(2)
Clause
6.1.2(b)
6.1.2(d)(3)
6.1.2(d)
6.1.1,
6.1.2 (c)
6.1.2(e)
6.1.2(d)(1)
6.1.1(e)(2)
6.1.2(c)(1),
6.1.2(e)(1)
6.1.2(d)(2)
6.1.2
6.1.2(c)(2)
6.1.2(e)(2)
6.1.2(d)(3)
6.1.2(a)(1)
6.1.2(d)
6.1.3,
6.1.2(e)
6.1.2(a)(2),
6.1.2(d)(1)
6.1.3(a)
Clause
6.1.2(e)(1)
6.1.2(b)
6.1.2(d)(2)
6.1.3(b)
6.1.1,
6.1.2(e)(2)
6.1.2 (c)
6.1.2(d)(3)
8.1
6.1.1(e)(2)
6.1.3,
6.1.2(c)(1),
6.1.2(e)
8.3
6.1.2
6.1.3(a)
6.1.2(c)(2)
Clause
6.1.2(e)(1)
9.3(a),
6.1.2(a)(1)
6.1.3(b)
6.1.2(d)
6.1.1,
6.1.2(e)(2)
9.3(b)
6.1.2(a)(2),
8.1
6.1.2(d)(1)
6.1.1(e)(2)
6.1.3,
9.3(b)(f)
6.1.2(b)
8.3
6.1.2(d)(2)
6.1.2
6.1.3(a)
9.3(c)
Clause
6.1.2
9.3(a),(c)
6.1.2(d)(3)
6.1.2(a)(1)
6.1.3(b)
9.3(c)(1)
6.1.1,
6.1.2(c)(1),
9.3(b)
6.1.2(e)
6.1.2(a)(2),
8.1
9.3(c)(2)
6.1.1(e)(2)
6.1.2(c)(2)
9.3(b)(f)
6.1.2(e)(1)
6.1.2(b)
8.3
9.3(c)(3)
6.1.2
6.1.2(d)
9.3(c)
6.1.2(e)(2)
6.1.2
9.3(a),(c)
9.3(d)
6.1.2(a)(1)
6.1.2(d)(1)
9.3(c)(1)
6.1.3,
6.1.2(c)(1),
9.3(b)
9.3(e)
6.1.2(a)(2),
6.1.2(d)(2)
9.3(c)(2)
6.1.3(a)
6.1.2(c)(2)
Clause
9.3(b)(f)
9.3(f)
6.1.2(b)
6.1.2(d)(3)
9.3(c)(3)
6.1.3(b)
6.1.2(d)
6.1.1,
9.3(c)
A.14.2.3
6.1.2 (c)
6.1.2(e)
9.3(d)
8.1
6.1.2(d)(1)
6.1.1(e)(2)
9.3(c)(1)
A.12.6.1
6.1.2(c)(1),
6.1.2(e)(1)
9.3(e)
8.3
6.1.2(d)(2)
6.1.2
9.3(c)(2)
A.18.1.1
6.1.2(c)(2)
6.1.2(e)(2)
9.3(f)
9.3(a),
6.1.2(d)(3)
6.1.2(a)(1)
9.3(c)(3)
A.18.2.2
6.1.2(d)
6.1.3,
Clause
A.14.2.3
9.3(b)
6.1.2(e)
6.1.2(a)(2),
9.3(d)
A.18.2.3
6.1.2(d)(1)
6.1.3(a)
6.1.1,
A.12.6.1
9.3(b)(f)
6.1.2(e)(1)
6.1.2(b)
9.3(e)
6.1.2(d)(2)
6.1.3(b)
6.1.1(e)(2)
A.18.1.1
9.3(c)
6.1.2(e)(2)
6.1.2
9.3(f) (c)
6.1.2(d)(3)
8.1
6.1.2
A.18.2.2
9.3(c)(1)
6.1.3,
6.1.2(c)(1),
A.14.2.3
6.1.2(e)
8.3
6.1.2(a)(1)
A.18.2.3
9.3(c)(2)
6.1.3(a)
6.1.2(c)(2)
A.12.6.1
Clause
6.1.2(e)(1)
9.3(a),
6.1.2(a)(2),
9.3(c)(3)
6.1.3(b)
6.1.2(d)
A.18.1.1
6.1.1,
6.1.2(e)(2)
9.3(b)
6.1.2(b)
9.3(d)
8.1
6.1.2(d)(1)
A.18.2.2
6.1.1(e)(2)
6.1.3,
9.3(b)(f)
6.1.2 (c)
9.3(e)
8.3
6.1.2(d)(2)
A.18.2.3
6.1.2
6.1.3(a)
9.3(c)
6.1.2(c)(1),
9.3(f)
9.3(a),
6.1.2(d)(3)
6.1.2(a)(1)
6.1.3(b)
9.3(c)(1)
6.1.2(c)(2)
A.14.2.3
9.3(b)
6.1.2(e)
6.1.2(a)(2),
8.1
9.3(c)(2)
6.1.2(d)
A.12.6.1
9.3(b)(f)
6.1.2(e)(1)
6.1.2(b)
8.3
9.3(c)(3)
6.1.2(d)(1)
A.18.1.1
9.3(c)
Clause
6.1.2(e)(2)
6.1.2 (c)
9.3(a),
9.3(d)
6.1.2(d)(2)
A.18.2.2
9.3(c)(1)
6.1.1,
6.1.3,
6.1.2(c)(1),
9.3(b)
9.3(e)
6.1.2(d)(3)
A.18.2.3
9.3(c)(2)
6.1.1(e)(2)
6.1.3(a)
6.1.2(c)(2)
9.3(b)(f)
9.3(f)
6.1.2(e)
9.3(c)(3)
6.1.2
6.1.3(b)
6.1.2(d)
9.3(c)
A.14.2.3
6.1.2(e)(1)
9.3(d)
6.1.2(a)(1)
8.1
6.1.2(d)(1)
9.3(c)(1)
A.12.6.1
6.1.2(e)(2)
9.3(e)
6.1.2(a)(2),
8.3
6.1.2(d)(2)
9.3(c)(2)
A.18.1.1
6.1.3,
9.3(f)
6.1.2(b)
9.3(a),
6.1.2(d)(3)
9.3(c)(3)
A.18.2.2
6.1.3(a)
A.14.2.3
6.1.2
9.3(b) (c)
6.1.2(e)
9.3(d)
A.18.2.3
6.1.3(b)
A.12.6.1
6.1.2(c)(1),
9.3(b)(f)
6.1.2(e)(1)
9.3(e)
8.1
A.18.1.1
6.1.2(c)(2)
9.3(c)
6.1.2(e)(2)
9.3(f)
8.3
A.18.2.2
6.1.2(d)
9.3(c)(1)
6.1.3,
A.14.2.3
9.3(a),
A.18.2.3
6.1.2(d)(1)
9.3(c)(2)
6.1.3(a)
A.12.6.1
9.3(b)
6.1.2(d)(2)
9.3(c)(3)
6.1.3(b)
A.18.1.1
9.3(b)(f)
6.1.2(d)(3)
9.3(d)
8.1
A.18.2.2
9.3(c)
6.1.2(e)
9.3(e)
8.3
A.18.2.3
9.3(c)(1)
6.1.2(e)(1)
9.3(f)
9.3(a),
9.3(c)(2)
6.1.2(e)(2)
A.14.2.3
9.3(b)
9.3(c)(3)
6.1.3,
A.12.6.1
9.3(b)(f)
9.3(d)
6.1.3(a)
A.18.1.1
9.3(c)
A.6.1.3 Commandment #1
A.6.1.4 Commandment #2
Commandment #3
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
Clause
6.1.2 (c)
6.1.1,
6.1.2(c)(1),
6.1.1(e)(2)
6.1.2(c)(2)
6.1.2
6.1.2(d)
6.1.2(a)(1)
6.1.2(d)(1)
6.1.2(a)(2),
6.1.2(d)(2)
A.15.1.2
6.1.2(b) Commandment #6
6.1.2(d)(3)
A.13.1.2
6.1.2 (c) Commandment #7
6.1.2(e)
6.1.2(c)(1), Commandment #8
6.1.2(e)(1)
6.1.2(c)(2)
6.1.2(e)(2)
6.1.2(d)
6.1.3,
6.1.2(d)(1)
6.1.3(a)
6.1.2(d)(2)
6.1.3(b)
6.1.2(d)(3)
8.1
6.1.2(e)
8.3
6.1.2(e)(1)
9.3(a),
6.1.2(e)(2)
9.3(b)
6.1.3,
9.3(b)(f)
6.1.3(a)
9.3(c)
6.1.3(b)
9.3(c)(1)
8.1
9.3(c)(2)
8.3
9.3(c)(3)
9.3(a),
9.3(d)
9.3(b)
9.3(e)
9.3(b)(f)
9.3(f)
9.3(c)
A.14.2.3
9.3(c)(1)
A.12.6.1
9.3(c)(2)
A.18.1.1
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
A.15.1.2,
6.1.2 (c) Commandment #1
8.1* partial,
6.1.2(c)(1), Commandment #4
A.13.2.2,
6.1.2(c)(2) Commandment #5
A.9.4.1
6.1.2(d) Commandment #6
A.10.1.1
6.1.2(d)(1) Commandment #7
6.1.2(d)(2) Commandment #8
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
6.1.3(b)
8.1
8.3
9.3(a),
9.3(b)
9.3(b)(f)
9.3(c)
9.3(c)(1)
9.3(c)(2)
9.3(c)(3)
9.3(d)
9.3(e)
9.3(f)
A.14.2.3
A.12.6.1
A.18.1.1
A.18.2.2
A.18.2.3
ITAR 22
CFR §
120.17
EAR 15 CFR
§736.2 (b)
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
Clause
6.1.2 (c)
6.1.1,
6.1.2(c)(1),
6.1.1(e)(2)
6.1.2(c)(2)
6.1.2
6.1.2(d)
6.1.2(a)(1)
6.1.2(d)(1)
6.1.2(a)(2),
6.1.2(d)(2)
6.1.2(b)
6.1.2(d)(3)
6.1.2 (c)
6.1.2(e)
6.1.2(c)(1),
6.1.2(e)(1)
6.1.2(c)(2)
6.1.2(e)(2)
6.1.2(d)
6.1.3,
6.1.2(d)(1)
6.1.3(a)
6.1.2(d)(2)
6.1.3(b)
6.1.2(d)(3)
8.1
6.1.2(e)
8.3
Clause
6.1.1,
6.1.1(e)(2)
6.1.2
6.1.2(a)(1)
6.1.2(a)(2),
6.1.2(b)
A.15.1.2
6.1.2 (c) Commandment #1
8.1* partial,
6.1.2(c)(1), Commandment #2
8.1* partial, A.15.2.1
6.1.2(c)(2) Commandment #3
A.13.1.2
6.1.2(d)
6.1.2(d)(1)
6.1.2(d)(2)
6.1.2(d)(3)
6.1.2(e)
6.1.2(e)(1)
6.1.2(e)(2)
6.1.3,
6.1.3(a)
6.1.3(b)
8.1
8.3
9.3(a),
9.3(b)
9.3(b)(f)
9.3(c)
9.3(c)(1)
9.3(c)(2)
9.3(c)(3)
9.3(d)
9.3(e)
A.12.2.1
9.3(f) Commandment #4
Commandment #5
CIP-007-3 - R5.1
CIP-003-3 - R4.2
CIP-004-3 R3.2
CIP-003-3 - R6
CIP-009-3 - R2
Chapter II CIP-009-3 - R4
Article 19
CIP-004-3 - R2.2
CIP-007-3 - R7.1
Chapter VI, Section I, Article 39 and Chapyer VI, Section II, Article 41 CIP-004-3 - R1 - R2 - R2.1
Chapter VI, Section I, Article 39 and Chapyer VI, Section II, Article 41
CIP-003-3 - R5.2
CIP-007-3 - R5.1 - R5.1.2
CIP-007-3 - R2
CIP-007-3 R5.1.1
CIP-003-3 - R5.1.1 - R5.3
CIP-004-3 R2.3
CIP-007-3 R5.1 - R5.1.2
CIP-004-3 R2.2.2
CIP-007-3 - R5 - R.1.3
CIP-004-3 R2.2.3
CIP-007-3 - R5.1.3 -R5.2.1 -
R5.2.3
CIP-004-3 R2.2.3
CIP-007-3 - R5.2 - R5.3.1 -
R5.3.2 - R5.3.3
CIP-004-3 R3
CIP-004-3 R3
CIP-007-3 - R6.1
Chapter VI, CIP-001-1a R3 - R4
Article 44.
Chatper II,
Article 16, part I
CIP-008-3 - R1.1
Chapter II
Article 14.
Chapter II
Article 14, 21
Chapter III
Article 25
Chapter V
Article 36
CIP-007-3 - R4 - R4.1 - R4.2
CP-9 AC-6(5)
CP-10 CP-9
SA-5 CP-9(1)
SA-10 CP-9(3)
SA-11 CP-10
CP-10(2)
SA-4(1)
SA-4(2)
SA-5
SA-10
SA-11
SA-11(1)
PE-1 PE-1
PE-13 PE-13
PE-14 PE-13(2)
PE-15 PE-13(3)
PE-18 PE-14
PE-15
PE-1 IR-9(4)
PE-5 PE-1
PE-14 PE-5
PE-15 PE-14
PE-18 PE-15
MA-2 IR-3(2)
MA-3 MA-2
MA-4 MA-3
MA-5 MA-3(1)
MA-6 MA-3(2)
MA-3(3)
MA-4
MA-4(2)
MA-5
MA-6
CP-8 CP-8
PE-1 CP-8(1)
PE-9 CP-8(2)
PE-10 IR-3(2)
PE-11 PE-1
PE-12 PE-9
PE-13 PE-10
PE-14 PE-11
PE-12
PE-13
PE-13(2)
PE-13(3)
PE-14
RA-3 CP-1
CP-2
CP-2(3)
CP-2(8)
RA-3
CM-2 CM-2
CM-3 CM-2 (1)
CM-4 CM-2 (3)
CM-5 CM-2 (7)
CM-6 CM-3
CM-9 CM-4
MA-4 CM-5
SA-3 CM-6
SA-4 CM-6 (1)
SA-5 CM-9
SA-8 IR-9 (2)
SA-10 MA-4
SA-11 MA-4 (2)
SA-12 SA-3
SA-4
SA-4 (1)
SA-4 (2)
SA-5
SA-8
SA-10
SA-11
SA-11 (1)
SI-7
SA-4 SA-4
SA-5 SA-4 (1)
SA-8 SA-4 (2)
SA-9 SA-4 (9)
SA-10 SA-5
SA-11 SA-8
SA-12 SA-9
SA-13 SA-9 (1)
SA-10
SA-10 (1)
SA-11
SA 11 (1)
CM-1 CM-1
CM-2 CM-2
SA-3 CM-2 (1)
SA-4 CM-2 (2)
SA-5 CM-2 (3)
SA-8 CM-2 (7)
SA-10 SA-3
SA-11 SA-4
SA-13 SA-4 (1)
SA-4 (2)
SA-5
SA-8
SA-10
SA-10 (1)
SA-11
SA-11 (1)
TR-2 SYSTEM OF
RECORDS NOTICES
AND PRIVACY ACT
STATEMENTS
AC-14 AC-1 TR-2 SYSTEM OF
AC-21 AC-22 RECORDS NOTICES
AC-22 SC-8 AND PRIVACY ACT
IA-8 SC-8(1) STATEMENTS
AU-10 SI-7
SC-4
SC-8
SC-9
MP-7
MP-7(1)
PE-2 PE-2
PE-3 PE-3
PE-6 PE-6
PE-7 PE-6(1)
PE-8 PE-8
PE-18
IA-3 IA-3
IA-4 IA-4
IA-4(4)
AC-17 AC-1
MA-1 AC-17
PE-1 AC-17(1)
PE-16 AC-17(2)
PE-17 AC-17(3)
AC-17(4)
MA-1
PE1
PE-16
PE-17
CM-8 CM-8
CM-8(1)
CM-8(3)
CM-8(5)
MP-6
MP-6(2)
PE-2 PE-2
PE-3 PE-3
PE-4 PE-4
PE-5 PE-5
PE-6 PE-6
PE-6(1)
PE-7 PE-16
PE-16
PE-18
MA-1 MA-1
MA-2 MA-2
PE-16 PE-16
SC-39
PE-2 PE-2
PE-3 PE-3
PE-6 PE-6
PE-18 PE-6(1)
SC-12 SC-12
SC-13 SC-13
SC-17 SC-17
SC-28 SC-28(1)
AC-18 AC-1
IA-3 AC-18
IA-7 AC-18(1)
SC-7 IA-7
SC-8 SC-7(4)
SC-9 SC-8
SC-13 SC-8(1)
SC-16 SC-13
SC-23 SC-23
SI-8 SC-28
SC-28(1)
SI-8
SC-12
CM-1 CM-1
PM-1
PM-11
AC-1 AC-1
AT-1 AT-1
AU-1 AU-1
CA-1 CA-1
CM-1 CM-1
IA-1 IA-1
IR-1 IR-1
MA-1 MA-1
MP-1 MP-1
MP-1 PE-1
PE-1 PL-1
PL-1 PS-1
PS-1 SA-1
SA-1 SC-1
SC-1 SI-1
SI-1
PL-4 PS-1
PS-1 PS-8
PS-8
AC-1 AC-1
AT-1 AT-1
AU-1 AU-1
CA-1 CA-1
CM-1 CM-1
CP-1 CP-1
IA-1 IA-1
IA-5 IA-5
IR-1 IA-5(1)
MA-1 IA-5(2)
MP-1 IA-5(3)
PE-1 IA-5(6)
PL-1 IA-5(7)
PM-1 IR-1
PS-1 MA-1
RA-1 MP-1
SA-1 PE-1
SC-1 PL-1
SI-1 PS-1
RA-1
SA-1
SC-1
SI-1
PL-5 RA-1
RA-2 RA-2
RA-3 RA-3
PS-4 PS-4
PS-2 PS-2
PS-3 PS-3
PS-3 (3)
PL-4 PS-1
PS-6 PS-2
PS-7 PS-6
PS-7
PS-4 PS-2
PS-5 PS-4
PS-
5
PS-6
PS-8
AC-17 AC-1
AC-18 AC-17
AC-19 AC-17 (1)
MP-2 AC-17 (2)
MP-4 AC-17 (3)
MP-6 AC-17 (4)
AC-18
AC-18 (1)
AC-19
MP-2
MP-4
MP-7
CM-7
MA-3
MA-4 CM-7
MA-5 CM-7 (1)
CM-7 (5)
MA-3
MA-3 (1)
MA-3 (2)
MA-3 (3)
MA-4
MA-4 (2)
MA-5
IA-2 (5)
AC-1 AC-1
AC-2 AC-2 (1)
AC-5 AC-2 (2)
AC-6 AC-2 (3)
AU-1 AC-2 (4)
AU-6 AC-2 (7)
SI-1 AC-2 (9)
SI-4 AC-5
AC-6
AC-6 (1)
AC-6 (2)
AC-6 (9)
AC-6 (10)
AU-1
AU-2
AU-6
AU-6 (1)
AU-6 (3)
SI-4
SI-4 (2)
SI-4 (4)
SI-4 (5)
UL-2
INFORMATION
SHARING WITH THIRD
PARTIES
- "FTC Fair Information
Principles
Integrity/Security
Security involves both
managerial and technical
measures to protect
against loss and the
unauthorized access,
destruction, use, or
disclosure of the data.(49)
Managerial measures
include internal
organizational measures
that limit access to data
and ensure that those
individuals with access do
AC-3 AC-2 AP-1 The the
not utilize organization
data for
AC-5 AC-2 (9) determines
unauthorized andpurposes.
AC-6 AC-3 documents the legal
Technical security
IA-2 AC-5 authority
measuresthat permits the
to prevent
IA-4 AC-6 collection,
unauthorized use,access
IA-5 AC-6 (1) maintenance,
include encryptionand sharing
in the
IA-8 AC-6 (2) of personally and
transmission identifiable
storage
MA-5 IA-2 information (PII),
of data; limits either
on access
PS-6 IA-2 (1) generally
through use or in
of support of
SA-7 IA-2 (2) a specific program
passwords; and theor
SI-9 IA-2 (3) information system
storage of data need.
on secure
IA-2 (8) servers or computers . -
IA-4 http://www.ftc.gov/reports/
IA-4 (4) privacy3/fairinfo.shtm"
IA-5
IA-5 (1)
IA-5 (2)
IA-5 (3)
IA-5 (6)
IA-5 (7)
IA-8
MA-5
PS-3 (3)
PS-6
SI-7
SA-10 (1)
AU-1 AU-1
AU-8 AU-7 (1)
AU-8
SA-4 SA-4
SA-4 (1)
-
SC-7 AC-4 (21)
CA-3
CA-3 (3)
CA-3 (5)
CA-9
CM-7
CM-7 (1)
CM-7 (2)
SC-7
SC-7 (3)
SC-7 (4)
SC-7 (5)
SC-7 (7)
SC-7 (8)
SC-7 (12)
SC-7 (13)
SC-7 (18)
SC-20
SC-21
SC-22
AC-4 AC-4
SC-2 CA-3
SC-3 CA-3 (3)
SC-7 CA-3 (5)
CA-9
SC-2
SC-7
SC-7 (3)
SC-7 (4)
SC-7 (5)
SC-7 (7)
SC-7 (8)
SC-7 (12)
SC-7 (13)
SC-7 (18)
SC-39
CA-3
AC-6 (5)
AC-1 AC-1
AC-18 AC-18
CM-6 AC-18 (1)
PE-4 CA-3
SC-3 CA-3 (3)
SC-7 CA-3 (5)
CM-6
CM-6 (1)
PE-4
RA-5 (8)
SC-7
SC-7 (3)
SC-7 (4)
SC-7 (5)
SC-7 (7)
SC-7 (8)
SC-7 (12)
SC-7 (13)
SC-7 (18)
SI-7
CA-3
CA-3 (3)
CA-3 (5)
CA-9
RA-5 (8)
SI-4 (1)
MP-7
MP-7 (1)
AC-19 (5)
AT-5 IR-6
IR-6 IR-6 (1)
SI-5 IR-9
SI-5
IR-9 (1)
IR-4 IR-4
IR-5 IR-4 (1)
IR-8 IR-5
IR-8
IR-9
IR-9 (3)
SI-7 (7)
SC-20 CA-3
SC-21 CP-6
SC-22 CP-6 (1)
SC-23 CP-6(3)
SC-24 CP-7
CP-7(1)
CP-7(2)
CP-7(3)
CP-8
CP-8(1)
CP-8(2)
SA-4(9)
SA-9
SA-9(1)
SA-9(2)
CA-3 CA-3
MP-5 MP-5
PS-7 MP-5 (4)
SA-6 PS-7
SA-7 SA-9
SA-9 SA-9(1)
S-9(4)
SA-9(5)
SI-7
CA-3 CA-3
SA-9 SA-9
SA-12 SA-9(1)
SC-7 SC-7
SC-7(3)
SC-7(4)
SC-7(5)
SC-7(7)
SC-7(8)
SC-7(12)
SC-7(13)
SC-7(18)
SA-7 AC-6(10)
SC-5 RA-5(5)
SI-3 RA-5(8)
SI-5 SC-5
SI-7 SI-3
SI-8 SI-3(1)
SI-3(2)
SI-5
SI-7
SI-7(1)
CM-3 SI-8
CA-8
CM-4 CM-3
CP-10 CM-4
RA-5 RA-5
SA-7 RA-5(1)
SI-1 RA-5(2)
SI-2 RA-5(3)
SI-5 RA-5(5)
RA-5(6)
SA-11(2)
SI-1
SI-2
SI-2(2)
SI-2(3)
SI-4
SI-5
SI-7(7)
SC-18 CA-9
RA-5(5)
ndidate Mapping
PA ID PA level
14.5 PA17 SGP 6.5
14.6 PA31 BSGP
9.2
14.5 PA25 GP 6.3.1
14.6 6.3.2
6.4 12.9.1
12.9.3
12.9.4
12.9.6
4.4 PA15 SGP 12.9.2
5.2(time limit)
6.3(whenever change occurs)
10.5 12.1
13.5 12.2
17.1 12.3
12.4
14.1
12.1 PA14 SGP 1.1.1
12.4 6.3.2
6.4
6.1
13.1 9.5
9.6
9.7.1
9.7.2
9.10
17.8 6.4.3
3.4
13.4 PA10 BSGP 3.1.1
13.5 PA39 SGP 9.10
PA34 SGP 9.10.1
PA40 SGP 9.10.2
3.1
12.3
PA4
PA8
PA37
PA38
BSGP
BSGP
SGP
SGP
8.1 PA4 BSGP 9.1
8.2 9.1.1
9.1.2
9.1.3
9.2
PA22 GP
PA33 SGP
PA36
16.2 PA36 3.4.1
3.5
3.5.1
3.5.2
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
16.1 PA25 GP 2.1.1
3.4
3.4.1
4.1
4.1.1
4.2
4.4 1.1
5.1 1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
2.2
2.2.1
2.2.2
2.2.3
2.2.4
4.1 12.5
4.1 12.1.3
6.1
1.1 PA2 BSGP 12.1.2
3.3 PA15 SGP
5.1
5.2
5.3
5.4
7.1
12.2
17.7
18.1
18.3
2.2
2.2 12.3.5
5.2
4.2
9.1 PA28 BSGP 12.6
12.6.1
12.6.2
9.1 8.5.7
12.6.1
8.1
15.4 10.5.5
15.1 3.5.1
15.2 8.5.1
12.5.4
15.4 9.1.2
3.0 PA24 P 6.4.2
3.1
3.2
3.3
3.4
3.5
9.4 6.4.1
14.1 6.4.2
14.2
19.1
2.2 12.8.1
4.3 12.8.2
12.8.3
12.8.4
3.2
9.2
15.2
9.2
9.2 8.5.4
8.5.5
12.2 7.1.2
14.2
17.6 PA11 BSGP 10.1
PA12 SGP 10.2
PA13 SGP 10.3
PA24 P 10.5
10.6
10.7
11.4
12.5.2
12.9.5
PA35 GP
10.4
PA36
17.1 PA3 BSGP 1.1
17.2 PA5 BSGP 1.1.2
PA16 SGP 1.1.3
PA19 GP 1.1.5
PA18 SGP 1.1.6
1.2
1.2.1
2.2.2
2.2.3
PA34 SGP
3.2 11.1.e
12.5.3
12.9
5.2
2.2
2.4
12.8.2
12.8.3
12.8.4
Appendix A
5.4
5.1
5.1.1
5.2
14.1
17.6 PA1 BSGP
2.2
6.1
6.2
6.3.2
6.4.5
6.5
6.6
11.2
11.2.1
11.2.2
11.2.3
12.4 PA2
14.1 PA8 BSGP
3
3.1
3.2
3.3
3.4
3.5
PCI DSS v3.0
6, 6.5
2.3
3.4.1
4.1
4.1.1
6.1
6.3.2a
6.5c, 7.1, 7.2, 7.3, 8.1,
8.2, 8.3, 8.4, 8.5, 8.6, 8.7,
8.8
10.5.5, 10.8
11.5, 11.6
11.2
11.3
6.3.2, 6.6
11.2.1, 11.2.2, 11.2.3,
11.3.1, 11.3.2, 12.1.2.b,
12.8.4
3.1
12.9.1
12.9.3
12.9.4
12.9.6
12.9.2, 12.10.2
9.1.3
9.5
9.6
9.9
9.9.1, 12.2
10.8, 11.6
4.3, 10.8,
11.1.2,
12.1
12.2
12.3
12.4
12.5, 12.5.3,
12.6, 12.6.2,
12.10
3.1
3.1.a
3.2
9.9.1
9.5. 9.5.1
9.6. 9.7, 9.8
10.7, 12.10.1
6.3.2, 12.3.4
1.3.3
2.1, 2.2.2
3.6
4.1
5.1, 5.2, 5.3, 5.4
6.2
7.1
9.1
9.1.1
9.1.2
9.1.3
9.2
9.3
9.4
9.4.1
9.4.2
9.4.3
10.1, 10.2, 10.3, 10.4,
10.5, 10.6, 10.7
11.1, 11.4, 11.5
12.3
1.1.1
6.3.2
6.4.5
3.1
9.6.1, 9.7.1
9.10
12.3
1.1.3
12.3.3
2.1.1
3.1
4.1
4.1.1
4.2
9.5, 9.5.1
9.6
9.7
9.8
9.9
6.4.3
3.7
12.5.5
12.10.4
3.1.1
9.8, 9.8.1, 9.8.2, 3.1
9.7.1
9.9
9.9.1
9.1
9.1.1
9.1.2, 9.1.3
9.2, 9.3, 9.4, 9.4.1, 9.4.2,
9.4.3, 9.4.4
9.6.3
9.1
9.1.1
9.1.2
9.2
9.3
9.4
9.1
9.4.1
9.1.1
9.4.2
9.1.2
9.4.3
9.2
9.4.4
9.3
9.5
9.4
9.5.1
9.4.1
9.4.2
9.4.3
9.4.4
9.5 7.1.3
3.5,
9.5.1
8.1
8.1.1
8.2.2
8.5
8.5.1
3.4.1
3.5
3.5.1
3.5.2
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8,
4.1
6.5.3
8.2.1
8.2.2
2.1.1
2.3
3.3
3.4
3.4.1
4.1
4.1.1
4.2
4.3
6.5.3
6.5.4
8.2.1
3.5.2, 3.5.3
3.6.1, 3.6.3
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
2.2
2.2.1
2.2.2
2.2.3
2.2.4
12.2
12.6, 7.3, 8.8, 9.10
12.1
12.2
12.4
12.1.1
12.2
12.2
9.3
12.7
12.8.3
11.1
12.3
12.8.5
12.3
12.6
12.4
8.1.8
10.5
7.1.2
7.1.4
7.2
8.1
8.1.5
8.5
3.5.1, 7.0
8.0
12.5.4
1.2.2
7.1
7.1.2
7.1.3
7.2
7.2.3
9.1.2
9.1.3
7.3
8.8
9.10
6.4.2, 7.3
8.8
9.10
6.4.1
6.4.2, 7.1
7.1.1
7.1.2
7.1.3
7.1.4
12.8
7.2
12.2
7.2.2
7.3
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.2
7.1
7.1.1
7.1.2
7.1.3
7.1.4
12.5.4
8.1.4
8.1.3
8.1.4
8.1.5, 12.5.4
8.0
10.1,
12.3
5.0
7.1
7.1.2
7.2
10.1
10.2
10.3
10.4
10.5
10.6
10.7, 10.8
11.4, 11.5, 11.6
12.5.2
10.5.5, 12.10.5
10.4
6.1
1.1
1.1.2
1.1.3
1.1.5
1.1.6
1.2
1.2.1
1.2.2
1.2.3
1.3
2.2.2
2.2.3
2.2.4
2.5
4.1
2.1
2.2
2.5
5.1
6.4.1
6.4.2
1.1
1.2
1.2.1
1.2.3
1.3
1.4
2.1.1
2.2.3
2.2.4
2.3
4.1
3.5.1, 3.6.6
1.2.3
2.1.1
4.1
4.1.1
11.1, 11.1.a, 11.1.b, 11.1.c, 11.1.d, 11.1.1, 11.1.2
9.1.3
4.1
4.1.1
4.3
4.1
12.5.3
12.10.1
12.1
12.10.1
12.1.1
2.4
12.8.2
12.8.4
2.4
12.8.2
12.8.3
12.8.4
Appendix A
1.4, 5.0
2.2
6.1
6.2
6.3.2
6.4.5
6.5
6.6
11.2
11.2.1
11.2.2
11.2.3
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
AC-2 Account Management X X AC-2j [at least annually] AIS-03 (see Note: these areas implied
note) by previous mappings to SI-
IAM-09 (see 9 which has been
note) incorporated by NIST into
IAM-12 AC-2, AC-3, AC-5, AC-6
AC-2 (2) Account Management | Removal of Temporary / Emergency Accounts X [No more than 30 days for temporary and IAM-05
emergency account types] IAM-10
IAM-11
AC-2 (3) Account Management | Disable Inactive Accounts X [90 days for user accounts] Requirement: The service provider IAM-05
defines the time period for non- IAM-11
user accounts (e.g., accounts IAM-10
associated with devices). The time
periods are approved and
accepted by the Authorizing
Official.
AC-2 (9) Account Management | Restrictions on Use of Shared Groups / Accounts X Required if shared/group accounts IAM-02
are deployed IAM-05
IAM-09
IAM-10 Appears to combine
components of seperation
of duty and principle of
least priviledge.
Apprehensive about
including IAM-10 as it does
not specifically state
revokation of credentials,
only reauthorization.
Removed
AssociatedIAM-10 2/3/15
with access
(BC)
outside of normal service
AC-2 (12) Account Management | Account Monitoring / Atypical Usage X AC-2 (12)(a) and AC-2 (12)(b) No CCM NIST control operations hours although
Additional FedRAMP Requirements Mapping has finer addressed ambiguously in
and Guidance: Required for Identified granularity certain areas of the CCM
privileged accounts. could be associated with
IAM-02 and IAM-09
AC-3 Access Enforcement X X AIS-03 (see Note: these areas implied
note) by previous mappings to SI-
IAM-09 9 which has been
IAM-12 incorporated by NIST into
AC-2, AC-3, AC-5, AC-6
AC-4 (21) Information Flow Enforcement | Physical / Logical Separation of Information X DSI-05 Regarding seperation of
Flows DSI-06 environments.
DSI-07
IVS-06
IVS-08
AC-6 (2) Least Privilege | Non-Privileged Access For No security Functions X [all security functions] AC-6 (2). Guidance: Examples of IAM-05
security functions include but are IAM-09
not limited to: establishing system IAM-13
accounts, configuring access
authorizations (i.e., permissions,
privileges), setting events to be
audited, and setting intrusion
detection parameters, system
programming, system and security
administration, other privileged
AC-6 (5) Least Privilege | Privileged Accounts X functions. BCR-04
GRM-04
IAM-06 Associated with logical
IVS-11 access reviews of
adminitrative or other
access and timely remova of
such access.
AC-6 (9) Least Privilege | Auditing Use of Privileged Functions X GRM-02
IAM-05
IAM-10 Associated with logical
IAM-11 access reviews of
adminitrative or other
access and timely removal
of such access.
AC-6 (10) Least Privilege | Prohibit Non-privileged Users from Executing Privileged X AIS-03 Implied from previous
Functions CCC-04 mappings to SI-3 (3) and SI-
GRM-11 4 (6) which NIST has
IAM-05 incorporated into AC-6 (10)
IVS-01
SEF-03
TVM-01
AC-7 Unsuccessful Logon Attempts X X AC-7a [not more than three] IAM-02
[fifteen minutes]
AC-8 System Use Notification X X Parameter: See Additional Requirements and Requirement: The service provider HRS-08
Guidance. shall determine elements of the
cloud environment that require
the System Use Notification
control. The elements of the cloud
environment that require System
Use Notification are approved and
accepted by the Authorizing
Official (AO).
Requirement: The service provider
shall determine how System Use
Notification is going to be verified
and provide appropriate
periodicity of the check. The
System Use Notification
verification and periodicity are
approved and accepted by the AO.
Guidance: If performed as part of a
Configuration Baseline check, then
the % of items requiring setting
that are checked and that pass (or
fail) check can be provided.
Requirement: If not performed as
part of a Configuration Baseline
check, then there must be
AC-10 Concurrent Session Control X [three (3) sessions for privileged access and documented agreement on how to IAM-02
two (2) sessions for non-privileged access] provide results of verification and
the necessary periodicity of the
verification by the service provider.
AC-11 Session Lock X AC-11a. [fifteen minutes] The documented agreement on HRS-11
how to provide verification of the IAM-12
results are approved and accepted
AC-11 (1) Session Lock | Pattern-Hiding Displays X by the AO. IAM-12
AC-12 Session Termination X HRS-11
Control addresses
appropriate session
termination.
AC-14 Permitted Actions Without Identification or Authentication X X IAM-02
AC-17 Remote Access X X HRS-05
DCS-04
AC-17 (1) Remote Access | Automated Monitoring / Control X HRS-05
DCS-04
AC-17 (2) Remote Access | Protection of Confidentiality / Integrity Using Encryption X HRS-05
DCS-04
AC-17 (3) Remote Access | Managed Access Control Points X HRS-05
DCS-04
AC-17 (4) Remote Access | Privileged Commands / Access X HRS-05
DCS-04
AC-17 (9) Remote Access | Disconnect / Disable Access X [no greater than 15 minutes] IAM-01 IAM-01 and IAM-02 are
IAM-02 applicable provided policies
and other documentation
specifically state the
limitations for session
termination for logical
remote access.
AC-19 (5) Access Control For Mobile Devices | Full Device / Container-Based X MOS-11 Direct mapping to MOS-11
Encryption as the conrol specifically
calls for device encryption
where any sensitive
information can be
accessed via the mobile
device. Partial mapping to
MOS-14 due to the
implication of technical
controls, which can be
inclusive of device
encryption. Removed
mapping to MOS-14 2/3/15
(BC)
AT-2 (2) Security Awareness | Insider Threat X No CCM NIST control HRS-09 and HRS-10
Mapping has finer describe requirements for
Identified granularity Security Awareness Training
but no specfic reference to
insider threats
AU-1 Audit and Accountability Policy and Procedures X X AU-1.b.1 [at least every 3 years] AAC-03
AU-1.b.2 [at least annually] GRM-06
GRM-08
GRM-09
GRM-11
IAM-05
IAM-07
IVS-01
IVS-03
AU-2 (3) Audit Events | Reviews and Updates X AU-2 (3). [Assignment: organization-defined Guidance: Annually or whenever IAM-12
frequency] changes in the threat environment IVS-01
are communicated to the service
Parameter: [annually or whenever there is a provider by the Authorizing
change in the threat environment] Official.
AU-6 Audit Review, Analysis, and Reporting X X AU-6a. [Assignment: organization-defined IAM-05
frequency] IAM-10
IVS-01
Parameter: [at least weekly] SEF-04
AU-6 (1) Audit Review, Analysis, and Reporting | Process Integration X IAM-05
IAM-10
IVS-01
SEF-04
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
AU-6 (3) Audit Review, Analysis, and Reporting | Correlate Audit Repositories X IAM-05
IAM-10
IVS-01
SEF-04
AU-9 (2) Protection of Audit Information | Audit Backup on Separate Physical Systems X AU-9 (2). [at least weekly] IAM-01
/ Components SEF-04
AU-9 (4) Protection of Audit Information | Access by Subset of Privileged Users X IAM-01 Direct Mapping:
IVS-01 IAM-01: specifies restricted
access to audit tools
IVS-01: specifies higher
levels of assurance for
protection of audit logs
AU-11 Audit Record Retention X X AU-11. [at least ninety days] AU-11. Requirement: The service IAM-12
provider retains audit records on- IVS-01
line for at least ninety days and SEF-04
further preserves audit records off-
line for a period that is in
accordance with NARA
requirements.
AU-12 Audit Generation X X AU-12a. [all information system and network IVS-01
components where audit capability is
deployed/available]
CA-1 Security Assessment and Authorization Policies and Procedures X X CA-1.b.1 [at least every 3 years] AIS-02
CA-1.b.2 [at least annually] AAC-02
AAC-03
CCC-01
CCC-05
GRM-03
GRM-06
GRM-08
GRM-09
GRM-11
IAM-07
CA-2 (1) Security Assessments | Independent Assessors X X Added to NIST Baseline for "Low" FedRAMP For JAB Authorization, must be an AAC-01
baseline. accredited 3PAO AAC-02
CA-2 (2) Security Assessments | Specialized Assessments X [at least annually] Requirement: To include No CCM Possible CCM states - "Policies and
'announced', 'vulnerability Mapping Mapping to procedures shall be
scanning' Identified TVM-02 established, and supporting
processes and technical
measures implemented, for
timely detection of
vulnerabilities within
organizationally-owned or
managed applications,
infrastructure network and
system components (e.g.
network vulnerability
assessment, penetration
testing) to ensure the
efficiency of implemented
security controls." NIST
states - "Organizations can
employ information system
monitoring, insider threat
assessments, malicious user
testing, and other forms of
testing (e.g., verification
and validation) to improve
readiness by exercising
organizational capabilities
and indicating
current performance levels
as a means of focusing
actions to improve security.
Organizations conduct
assessment activities in
accordance with applicable
federal laws, Executive
Orders, directives, policies,
regulations, and standards.
Authorizing officials
approve the assessment
methods in coordination
with the organizational risk
executive function.
Organizations can
incorporate vulnerabilities
uncovered during
assessments into
vulnerability remediation
processes." Related control
to CA-2 (2) is: SI-2. SI-2 is
mapped to TVM-02 in this
doc. I think this is a good
direct mapping. (JPM)
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
CA-2 (3) Security Assessments | External Organizations X [Any FedRAMP Accredited 3PAO] [the No CCM Not clear what In the CCM there is no
conditions of a P-ATO in the FedRAMP Mapping control is reference of guidance in
Repository] Identified being defined external organizations
by NIST - assessments, meaning
circular "reciprocity".
definition NIST states - "Supplemental
HSTA - Guidance: Organizations
possible may often rely on
mapping to assessments of specific
STA-05 information systems by
other (external)
organizations. Utilizing such
existing assessments (i.e.,
reusing
existing assessment
evidence) can significantly
decrease the time and
resources required for
organizational assessments
by limiting the amount of
independent assessment
activities that organizations
need to perform. The
factors that organizations
may consider in
determining whether to
accept assessment results
from external organizations
can vary. Determinations
for accepting assessment
results can be based on, for
example, past assessment
experiences one
organization has had with
another organization, the
reputation that
organizations have with
regard to assessments, the
level of detail of supporting
assessment documentation
provided, or
CA-3 System Interconnections X X CA-3c. 3 Years / Annually and on input from GRM-02
FedRAMP IVS-06
IVS-09
IVS-10
IVS-12
IVS-13
STA-03
STA-05
STA-09
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
CA-3 (3) System Interconnections | Unclassified Non-National Security System X Boundary Protections which meet the Trusted CA-3(3) Guidance: Refer to IVS-06 Finer In the CCM there is no
Connections Internet Connection (TIC) requirements Appendix H – Cloud Considerations IVS-09 granularity of reference of unclassified
of the TIC 2.0 Reference IVS-12 NIST conrol networks and
Architecture document. IVS-13 included in interconnections to Non-
broader CCM National systems.
definition NIST states -
"Organizations typically do
not have control over
external networks (e.g., the
Internet). Approved
boundary protection
devices (e.g., routers,
firewalls) mediate
communications (i.e.,
information flows) between
unclassified non-national
security systems and
external networks. This
control enhancement is
required for organizations
processing, storing, or
transmitting Controlled
Unclassified Information
(CUI)." (JPM)
CA-3 (5) System Interconnections | Restrictions on External Network Connections X For JAB Authorization, CSPs shall IVS-06 In the CCM there is no
include details of this control in IVS-09 reference of blacklisting and
their Architecture Briefing IVS-12 whitelisting of systems for
IVS-13 external connections.
NIST states - "
Organizations can constrain
information system
connectivity to external
domains (e.g., websites) by
employing one of two
policies with regard to such
connectivity: (i) allow-all,
deny by exception, also
known as blacklisting (the
weaker of the two policies);
or (ii) deny-all, allow by
exception, also known as
whitelisting (the stronger of
the two policies). For either
policy, organizations
determine what exceptions,
if any, are acceptable."
(JPM)
CA-5 Plan of Action and Milestones X X CA-5b. [at least monthly] CA-5 Guidance: Requirement: AIS-02
POA&Ms must be provided at GRM-03
least monthly.
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
CA-6 Security Authorization X X CA-6c. [at least every three years or when a CA-6c. Guidance: Significant AIS-02
significant change occurs] change is defined in NIST Special AAC-02
Publication 800-37 Revision 1, CCC-05
Appendix F. The service provider GRM-03
describes the types of changes to GRM-11
the information system or the
environment of operations that
would impact the risk posture. The
types of changes are approved and
accepted by the Authorizing
Official.
CA-7 Continuous Monitoring X X CA-7d. [To meet Federal and FedRAMP Operating System Scans: at least AAC-01
requirements] monthly CCC-05
Database and Web Application GRM-03
Scans: at least monthly GRM-11
All scans performed by
Independent Assessor: at least
annually
CA-7 Guidance: CSPs must provide
evidence of closure and
remediation of high vulnerabilities
within the timeframe for standard
POA&M updates.
CA-7 (1) Continuous Monitoring | Independent Assessment X No CCM Specific In the CCM there is no
Mapping requirement reference of Independent
Identified not defined in Assessments on a
CCM continuous monitoring
bases.
CCM AAC-02
states - Independent
assessments have to occur
at least yearly.
"Independent reviews and
assessments shall be
performed at least annually
to ensure that the
organization addresses
nonconformities of
established policies,
standards, procedures, and
compliance obligations."
(JPM)
Could this be clarified using
a new CAIQ question?
CA-8 Penetration Testing X [at least annually] AAC-02 Implied from previous
TVM-02 mapping to RA-5(9) which
NIST has incorporated into
CA-8
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
CA-8 (1) Penetration Testing | Independent Penetration Agent or Team X No CCM Specific In the CCM there is no
Mapping requirement reference of Independent
Identified not defined in Penetration Agent or Team.
CCM
CCM TVM-02 states -
Penetration testing needs
to be done, but never
mentions it being an
independent agent or team.
"Policies and procedures
shall be established, and
supporting processes and
technical measures
implemented, for timely
detection of vulnerabilities
within organizationally-
owned or managed
applications, infrastructure
network and system
components (e.g. network
vulnerability assessment,
penetration testing) to
ensure the efficiency of
implemented security
controls." (JPM) Could be
addressed with a new CAIQ
question?
Could this be clarified with
a new CAIQ question?
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
CM-2 (1) Baseline Configuration | Reviews and Updates X CM-2 (1) (a). [at least annually] BCR-10
CM-2 (1) (b). [to include when directed by CCC-03
Authorizing Official] CCC-04
CCC-05
GRM-01
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
CM-2(2) Baseline Configuration | Automation Support For Accuracy / Currency X CCC-03 Suggested mapping:
CCC-05 1) Map to CCM CCC-03,
CCC-05 control series
2) Extend CIAQ to add CCC-
03.2, CCC-05.2 with the
following additional
"Consensus Assessment
Questions":
>>>
CCC-03.2.1: Do you use
automated source code
management tools to
perform the ongoing code
stream segregation and
software code builds, while
ensuring the final build of
each generally available
code stream version
includes:
- Bill of Materials (BOM)
that identifies Application
code modules, middleware,
data stores and OS (inc.
patch levels) mappings to
your Cloud Infrastructure
tiers above Facility, namely,
Hardware/Virtualized-
Infrastructure/Platform-
Architecture/Application.
- Validated Automated
Installation Instructions for
CM-2 (3) Baseline Configuration | Retention of Previous Configurations X BCR-10 each Cloud Infrastructure
CCC-03 tier
CCC-04
CCC-05 CCC-05.2.1: Do you use
GRM-01 automated tools to
maintain pristine baseline
copies of each generally
CM-2 (7) Baseline Configuration | Configure Systems, Components, or Devices for X BCR-10 availablebycode
Implied set within
former mappinga
High-Risk Areas CCC-03 master
of theselibrary
areas stored
to CM-2within
(5)
CCC-04 your Cloud
which has been Operations
CCC-05 DevOps infrastructure
incorporated , so
by NIST into
GRM-01 as
CM-2to: (7) in 800-53r4
- Track your various
instances of Cloud
CM-3 Configuration Change Control X Requirement: The service provider BCR-10 Deployments within a
establishes a central means of CCC-04 centralized Configuration
communicating major changes to CCC-05 Management scheme
or developments in the TVM-02 - Ensure up-to-date,
information system or complete and accurate
environment of operations that maintenance of various
may affect its services to the instances of your Cloud
federal government and associated Deployments
service consumers (e.g., electronic <<<
bulletin board, web status page).
The means of communication are
approved and accepted by the
Authorizing Official.
CM-5 (1) Access Restrictions For Change | Automated Access Enforcement / Auditing X CCC-04
CCC-05
IAM-06
CM-5 (3) Access Restrictions For Change | Signed Components X Guidance: If digital CCC-04 Suggested mapping:
signatures/certificates are 1) Map to CCM CCC-04
unavailable, alternative control series
cryptographic integrity checks 2) Extend CIAQ to add CCC-
(hashes, self-signed certs, etc.) can 04.2, with the following
be utilized. additional "Consensus
Assessment Questions":
>>>
CCC-04.2.1: Have you
implemented processes and
infrastructure that ensure
up-to-date, complete and
accurate maintenance of
various instances of your
Cloud Deployment, by:
- Segregating your
generally available R&D
code set build process from
your DevOps Configuration
Management libraries that
uniquely identify and track
pristine images of each
CM-5 (5) Access Restrictions For Change | Limit Production / Operational Privileges X CM-5 (5) (b). [at least quarterly] CCC-04 revision of your generally
CCC-05 available code set.
IAM-06 - Implementing an access
restriction model to your
CM-6 Configuration Settings X X CM-6a. [See CM-6(a) Additional FedRAMP CM-6a. Requirement: The service BCR-10 DevOps systems according
Requirements and Guidance] provider shall use the Center for CCC-05 to defined Segregation of
Internet Security guidelines (Level IVS-12 Duties (SoD) between your
1) to establish configuration core R&D and Cloud
settings or establishes its own Operations teams based on
configuration settings if USGCB is formal Release-To-
not available. Operations procedures.
CM-6a. Requirement: The service <<<
provider shall ensure that
checklists for configuration settings
are Security Content Automation
Protocol (SCAP) validated or SCAP
compatible (if validated checklists
are not available).
CM-6a. Guidance: Information on
the USGCB checklists can be found
at:
http://usgcb.nist.gov/usgcb_faq.ht
ml#usgcbfaq_usgcbfdcc .
CM-6 (1) Configuration Settings | Automated Central Management / Application / X BCR-10
Verification CCC-05
IVS-12
CM-7 Least Functionality X X CM-7. [United States Government Requirement: The service provider CCC-04
Configuration Baseline (USGCB)] shall use the Center for Internet IAM-03
Security guidelines (Level 1) to IAM-13
establish list of prohibited or IVS-06
restricted functions, ports,
protocols, and/or services or
establishes its own list of
prohibited or restricted functions,
ports, protocols, and/or services if
USGCB is not available.
CM-7. Guidance: Information on
the USGCB checklists can be found
at:
http://usgcb.nist.gov/usgcb_faq.ht
CM-7 (1) Least Functionality | Periodic Review X CM-7(1) [ At least Monthly] ml#usgcbfaq_usgcbfdcc. CCC-04
(Partially derived from AC-17(8).) IAM-03
IAM-13
IVS-06
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
CM-7 (2) Least Functionality | Prevent Program Execution X CM-7(2) Guidance: This control IAM-10 Suggested mapping:
shall be implemented in a IAM-13 1) Map to CCM IAM-13, IVS-
technical manner on the IVS-06 06 control series
information system to only allow 2) Extend CIAQ to add IAM-
programs to run that adhere to the 13.2, IVS-06.2 with the
policy (i.e. white listing). This following additional
control is not to be based off of "Consensus Assessment
strictly written policy on what is Questions":
allowed or not allowed to run. >>>
IAM-13.2.1: Do you
maintain an up-to-date
Configuration Management
scheme (see suggested
mappings in CM-2 (2)) as
well as Platform-
Architecture
documentation, so as to
enable your Cloud
Operations function to:
- Retain the necessary
restrictions around
powerful utilities and
security devices as they
make changes to your Cloud
architecture as prescribed
by your core R&D function,
release over release
CM-7 (5) Least Functionality | Authorized Software / Whitelisting X CM-7(5)[ at least Annually or when there is a IAM-02 IVS-06.2.1: Do you maintain
Suggested mapping:
change.] IAM-03 an Map
1) up-to-date
to CCMConfiguration
IAM-13
IAM-0 Management
control series scheme (see
IAM-13 suggested
2) mappings
Extend CIAQ to addin IAM-
CM-
2 (2)) with
13.3, as well
theasfollowing
Platform-
Architecture
additional "Consensus
documentation,
Assessment so as to
Questions":
enable
>>> your Cloud
Operations function
IAM-13.3.1: to:
Do you have
- Maintain
defined qualifiedfor your
procedures
infrastructure
core R&D to qualify use,
configurations
restrictions andand whitelisting
periodically
of verifiedwithin
utility programs
hardened
your Cloudsysteminfrastructure,
components
and continuouslyin allreflected
your
Cloud
in Infrastructure
Platform tiers
architecture
above Facility, namely,
documentation, so as to
Hardware/Virtualized-
enable your DevOps and
Infrastructure/Platform-
Cloud Operations function
Architecture/Application.
to:
CM-8 Information System Component Inventory X X CM-8b. [at least monthly] CM-8 Requirement: must be DCS-05 <<<
provided at least monthly or when CCC-04 - Maintain your Cloud's
there is a change. services over an adequately
distributed set of
components, while enabling
CM-8 (1) Information System Component Inventory | Updates During Installations / X DCS-05 your Cloud Operations to
Removals CCC-04 retain the necessary
knowledge about
CM-8 (3) Information System Component Inventory | Automated Unauthorized X CM-8 (3) (a). [Continuously, using automated DCS-05 components and their
Component Detection mechanisms with a maximum five-minute delay CCC-04 functions that are
in detection.] candidates for activation vs.
elimination, with prescribed
integrity verifications.
CM-8 (5) Information System Component Inventory | No Duplicate Accounting of X DCS-05 <<<
Components CCC-04
CM-9 Configuration Management Plan X BCR-10
CCC-01
CCC-04
CCC-05
CM-10 (1) Software Usage Restrictions | Open Source Software X CCC-04 Suggested mapping:
GRM-01 1) Map to CCM GRM-01
control series
2) Extend CIAQ to add GRM-
01.2, with the following
additional "Consensus
Assessment Questions":
>>>
GRM-01.2: Do you have
established procedures for
authorized vs. restricted use
of open source software,
with a minimum set of
controls for:
- A formal requisition
process (such as a Form)
which records the name
and version of the code
component, the source (e.g.
website), the license, usage
model, etc.
- A process for submitting
the requisition request
CM-11 User-Installed Software X X CM-11.c. [Continuously (via CM-7 (5))] CCC-04 through a review
Suggested mapping: process,
GRM-01 so as toto
1) Map ensure Legal
CCM GRM-01
understanding
control series of proposed
use, any potential
2) Extend CIAQ to addconcerns
GRM-
associated
01.3, withfollowing
with the the license,
etc.
additional "Consensus
- A tracking Questions":
Assessment mechanism for
any
>>> caveats/obligations
associated with
GRM-01.3: Do you thehave
code
and its license
established (e.g.
procedures and
preservation of
systematic checks forcopyright
notices, incorporation
authorized installation of
of
permission
User-Installed statements
Software,into
Aboutadequate
with pages orcontrols
equivalent,
for:
etc.).
- Restricting installation
<<< Authenticated User
onto
systems or devices, or
prohibiting user installation
of software without explicit
privileged status.
- Installation from only user
organization approved "app
Contingency Planning (CP) 0 stores", whether hosted
CP-1 Contingency Planning Policy and Procedures X X CP-1.b.1 [at least every 3 years] AAC-03 within your Cloud
CP-1.b.2 [at least annually] BCR-01 infrastructure or general
BCR-09 consumer Public Clouds.
GRM-08 - Alerting end-users directly
GRM-09 or user organization
IAM-07 administrators of
unauthorized attempts of
installation on user systems
CP-2 Contingency Plan X X CP-2d. [at least annually] Requirement: For JAB BCR-01 or devices.
authorizations the contingency BCR-02 - If BYOD is a supported
lists include designated FedRAMP BCR-09 option for end-users of your
personnel. BCR-11 Cloud services, restricting
CP-2 (1) Contingency Plan | Coordinate With Related Plans X BCR-01 connections to only trusted
BCR-02 devices that support a
BCR-11 passcode policy, encryption
and remote App+Data
CP-2 (2) Contingency Plan | Capacity Planning X BCR-01 wipe-out, as a minimum set
BCR-02 of outsider threat controls.
BCR-11
CP-2 (3) Contingency Plan | Resume Essential Missions / Business Functions X BCR-09 Direct mapping to BCR-09
which specifies "establish
maximum tolerable period
for disruption"
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
CP-2 (8) Contingency Plan | Identify Critical Assets X BCR-09 Direct mapping to BCR-09
which specifies "identify
critical products and
services"
CP-4 (1) Contingency Plan Testing | Coordinate With Related Plans X BCR-01
BCR-02
CP-6 Alternate Storage Site X BCR-01
BCR-11
STA-03
CP-6 (1) Alternate Storage Site | Separation From Primary Site X BCR-01
BCR-11
STA-03
CP-7 (1) Alternate Processing Site | Separation From Primary Site X CP-7(1) Guidance: The service BCR-01
provider may determine what is BCR-11
considered a sufficient degree of STA-03
separation between the primary
and alternate processing sites,
based on the types of threats that
are of concern. For one particular
type of threat (i.e., hostile cyber
attack), the degree of separation
between sites will be less relevant.
CP-9 Information System Backup X X CP-9a. [daily incremental; weekly full] CP-9. Requirement: The service BCR-01
CP-9b. [daily incremental; weekly full] provider shall determine what BCR-04
CP-9c. [daily incremental; weekly full] elements of the cloud environment BCR-11
require the Information System
Backup control.
Requirement: The service provider
shall determine how Information
System Backup is going to be
verified and appropriate
periodicity of the check.
CP-9a. Requirement: The service
provider maintains at least three
backup copies of user-level
information (at least one of which
is available online) or provides an
equivalent alternative.
CP-9b. Requirement: The service
provider maintains at least three
backup copies of system-level
information (at least one of which
is available online) or provides an
equivalent alternative.
CP-9c. Requirement: The service
provider maintains at least three
backup copies of information
system documentation including
security information (at least one
CP-9 (1) Information System Backup | Testing For Reliability / Integrity X CP-9 (1). [at least annually] of which is available online) or BCR-01
provides an equivalent alternative. BCR-04
BCR-11
CP-9 (3) Information System Backup | Separate Storage for Critical Information X BCR-01
BCR-04
BCR-11
IA-2 (8) Identification and Authentication (Organizational Users) | Network Access to X IAM-09
Privileged Accounts - Replay Resistant IAM-12
IA-2 (11) Identification and Authentication (Organizational Users) | Remote Access - X The information system implements IAM-02 Could be mapped to IAM-02
Separate Device multifactor authentication for remote access to which references business
privileged and non-privileged accounts such case considerations for
that one of the factors is provided by a device multi-factor authentication?
separate from the system gaining access and
the device meets [Assignment: organization-
defined strength of mechanism requirements].
IA-2 (12) Identification and Authentication (Organizational Users) | Acceptance of PIV X X Guidance: Include Common Access No CCM NIST control Could be mapped to IAM-09
Credentials Card (CAC), i.e., the DoD technical Mapping has finer which references
implementation of PIV/FIPS Identified granularity authorization of users in
201/HSPD-12. accordance with
established policies and
procedures. For Federal
agencies, the PIV cards are
part of the IAM policies
defined by FICAM. Possible
CAIQ update to query for
the exact policies that are
followed?
IA-4 (4) Identifier Management | Identify User Status X IA-4 (4). [contractors; foreign nationals] DCS-03
IAM-09
IA-5 Authenticator Management X X IA-5g. [to include sixty days for passwords] GRM-09
IAM-07
IAM-09
IAM-12
IA-5 (1) Authenticator Management | Password-Based Authentication X X IA-5 (1) (a). [case sensitive, minimum of twelve GRM-09
characters, and at least one each of upper-case IAM-07
letters, lower-case letters, numbers, and special IAM-09
characters] IAM-12
IA-5 (1) (b). [at least one]
IA-5 (1) (d). [one day minimum, sixty day
maximum]
IA-5 (1) (e). [twenty four]
IA-5 (3) Authenticator Management | In-Person or Trusted Third-Party Registration X IA-5 (3). [All hardware/biometric (multifactor GRM-09
authenticators] [in person] IAM-07
IAM-09
IAM-12
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
IA-5 (4) Authenticator Management | Automated Support for Password Strength X IA-4e Additional FedRAMP No CCM Specific Don't see a place where this
Determination Requirements and Guidance: Mapping requirement maps to CCM
Guidance: If automated Identified not defined in
mechanisms which enforce CCM
password authenticator strength at
creation are not used, automated
mechanisms must be used to audit
strength of created password
authenticators
IA-5 (11) Authenticator Management | Hardware Token-Based Authentication X X No CCM NIST control Could be mapped to IAM-09
Mapping has finer which references
Identified granularity authorization of users in
accordance with
esatblished policies and
procedures. For Federal
agencies, the PIV cards are
part of the IAM policies
defined by FICAM. Possible
CAIQ update to query for
the exact policies that are
followed?
IA-8 (1) Identification and Authentication (Non-Organizational Users) | Acceptance X X No CCM NIST control Could be mapped to IAM-09
of PIV Credentials from Other Agencies Mapping has finer which references
Identified granularity authorization of users in
accordance with
esatblished policies and
procedures. For Federal
agencies, the PIV cards are
part of the IAM policies
defined by FICAM. Possible
CAIQ update to query for
the exact policies that are
followed?
IA-8 (2) Identification and Authentication (Non-Organizational Users) | Acceptance X X No CCM NIST control IAM-09? See notes for IA-8
of Third-Party Credentials Mapping has finer (1)
Identified granularity
IA-8 (3) Identification and Authentication (Non-Organizational Users) | Use of X X No CCM NIST control IAM-09? See notes for IA-8
FICAM-Approved Products Mapping has finer (1)
Identified granularity
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
IA-8 (4) Identification and Authentication (Non-Organizational Users) | Use of X X No CCM NIST control IAM-09? See notes for IA-8
FICAM-Issued Profiles Mapping has finer (1)
Identified granularity
This control also relates to
SA-4 (10)
IR-3 (2) Incident Response Testing | Coordination With Related Plans X BCR-07 BCR-07/08 - Mapping is
BCR-08 fairly self explanitory, the
control calls for policies and
proceedures to be in place.
IR-6 Incident Reporting X X IR-6a. [US-CERT incident reporting timelines as Requirement: Reports security SEF-01
specified in NIST Special Publication 800-61 (as incident information according to SEF-03
amended)] FedRAMP Incident
Communications Procedure.
IR-7 (1) Incident Response Assistance | Automation Support For Availability of X SEF-02
Information / Support SEF-03
SEF-04
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
IR-7 (2) Incident Response Assistance | Coordination With External Providers X SEF-02
SEF-03
SEF-04
IR-8 Incident Response Plan X X IR-8c. [at least annually] IR-8(b) Additional FedRAMP SEF-02
Requirements and Guidance: The SEF-04
service provider defines a list of SEF-05
incident response personnel
(identified by name and/or by role)
and organizational elements. The
incident response list includes
designated FedRAMP personnel.
IR-8(e) Additional FedRAMP
Requirements and Guidance: The
service provider defines a list of
incident response personnel
(identified by name and/or by role)
and organizational elements. The
incident response list includes
designated FedRAMP personnel.
IR-9 (1) Information Spillage Response | Responsible Personnel X BCR-01 Information spillage is
SEF-01 considered an incident for
SEF-02 all intents and purposes
SEF-03 therefore these can be
defined and mapped under
the BCP/DRPs
IR-9 (2) Information Spillage Response | Training X BCR-02 BCR-02 - Control states that
BCR-10 SIR should be tested (a form
of training) at planned
intervals, in most cases for
some military entites
specifically Army QRF use
this type of testing to
double as real time training
credits.
BCR-10 - Mapping is fairly
direct, considering the
requirement of workforce
training.
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
IR-9 (3) Information Spillage Response | Post-Spill Operations X BCR-02 BCR-02 - Control states that
SEF-02 SIR should be tested to
SEF-04 ensure that operations will
SEF-05 actually work in the event
that an incident actually
occurs.
Information spillage is
considered an incident for
all intents and purposes
therefore SEF-02 is
applicable due to the
nature of the control and
indication that the triage
(response and quarantine)
be addressed in a timely
manner.
SEF-04 indicates the
definition of proper
incident handling inclusive
of preservation of
evidenciary findings via CoC
and other forensic
procedures to preserve
integrity.
IR-9 (4) Information Spillage Response | Exposure to Unauthorized Personnel X BCR-03 BCR-03 Is applicable due to
BCR-06 the fact that the operations
should be tested to ensure
expossure to unauthorized
parties is circumvented.
Maintenance (MA) 1
MA-1 System Maintenance Policy and Procedures X X MA-1.b.1 [at least every 3 years] AAC-03
MA-1.b.2 [at least annually] DCS-04
DCS-08
GRM-06
GRM-08
GRM-09
IAM-07
MA-3 (3) Maintenance Tools | Prevent Unauthorized Removal X MA-3 (3) (d). [the information owner explicitly BCR-07
authorizing removal of the equipment from the IAM-03
facility]
MA-5 (1) Maintenance Personnel | Individuals Without Appropriate Access X Requirement: Only MA-5 (1)(a)(1) No CCM Specific DCS-08 and DCS-09 refer to
is required by FedRAMP Moderate Mapping requirement physical access controls but
Baseline Identified not defined in not as explicit as the NIST
CCM guidance regarding
escort/supervision of
maintenance personnel
MP-4 Media Storage X MP-4a. [all types of digital and non-digital MP-4a Additional FedRAMP HRS-05
media with sensitive information] within Requirements and Guidance: HRS-11
[FedRAMP Assignment: see additional Requirement: The service provider
FedRAMP requirements and guidance]; defines controlled areas within
facilities where the information
and information system reside.
MP-5 Media Transport X MP-5a. [all media with sensitive information] SEF-04
[prior to leaving secure/controlled STA-05
environment: for digital media, encryption
using a FIPS 140-2 validated encryption
module; for non-digital media, secured in
locked container]
MP-6 (2) Media Sanitization | Equipment Testing X [At least annually] Guidance: Equipment and DCS-05 May need a CAIQ question
procedures may be tested or specific to the testing of
validated for effectiveness Media Sanitization
procedures?
MP-7 (1) Media Use | Prohibit Use without Owner X DSI-06 DSI-06 - Specifically
DCS-01 requests an owner be
MOS-09 assigned
PE-3 Physical Access Control X X PE-3a.2 [CSP defined physical access control DCS-02
systems/devices AND guards] DCS-06
PE-3d. [in all circumstances within restricted DCS-09
access area where the information system IVS-01
resides]
PE-3f. [at least annually]
PE-6 (1) Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment X DCS-02
DCS-06
DCS-09
PE-8 Visitor Access Records X X PE-8a [for a minimum of one year] DCS-02
PE-8b. [at least monthly]
PE-9 Power Equipment and Cabling X BCR-08
PE-10 Emergency Shutoff X BCR-08
PE-11 Emergency Power X BCR-08
PE-12 Emergency Lighting X X BCR-08
PE-13 Fire Protection X X BCR-03
BCR-05
BCR-08
PE-14 Temperature and Humidity Controls X X PE-14a. [consistent with American Society of PE-14a. Requirements: The service BCR-05
Heating, Refrigerating and Air-conditioning provider measures temperature at BCR-06
Engineers (ASHRAE) document entitled Thermal server inlets and humidity levels by BCR-08
Guidelines for Data Processing Environments] dew point.
PE-14b. [continuously]
PE-14 (2) Temperature and Humidity Controls | Monitoring With Alarms / X No CCM Specific BCR-03 refers to monitoring
Notifications Mapping requirement of temperature and
Identified not defined in humidity controls but no
CCM reference to alarms or
automatic notifications
PL-2 System Security Plan X X PL-2c. [at least annually] No CCM Possible
Mapping Mapping to
Identified AAC-03 and/or
GRM-04?
PL-2 (3) System Security Plan | Plan / Coordinate With Other Organizational Entities X No CCM Possible
Mapping Mapping to
Identified GRM-04?
PL-4 (1) Rules of Behavior | Social Media and Networking Restrictions X No CCM Specific
Mapping requirement
Identified not defined in
CCM
PL-8 Information Security Architecture X PL-8b. [At least annually] No CCM Specific There are several CCM
Mapping requirement controls that relate to
Identified not defined in documentation of
CCM requirements, network
architecture, etc. but not
clear that those are the
same as the comprehensive
InfoSec Architecture that is
described in 800-53r4
PS-1 Personnel Security Policy and Procedures X X PS-1.b.1 [at least every 3 years] AAC-03
PS-1.b.2 [at least annually] GRM-06
GRM-07
GRM-08
GRM-09
HRS-03
HRS-07
IAM-07
PS-2 Position Risk Designation X X PS-2c. [at least every three years] DSI-06
HRS-02
HRS-03
HRS-04
HRS-07
PS-3 (3) Personnel Screening | Information With Special Protection Measures X PS-3 (3)(b). [personnel screening criteria – as HRS-02 Finer Not as specific as the NIST
required by specific information] IAM-09 granularity of definition, but HRS-02, IAM-
IAM-10 NIST conrol 09 and IAM-10 all refer to
included in granting access to
broader CCM information based on
definition sensitivity, appropriate use,
least privilege, etc.
PS-5 Personnel Transfer X X PS-5. [within five days of the formal transfer HRS-04
action (DoD 24 hours)] IAM-11
PS-6 Access Agreements X X PS-6b. [at least annually] HRS-03
PS-6c.2. [at least annually] HRS-04
HRS-06
HRS-07
IAM-09
IAM-10
PS-7 Third-Party Personnel Security X X PS-7d. organization-defined time period – same HRS-03
day HRS-07
IAM-10
STA-05
RA-1 Risk Assessment Policy and Procedures X X RA-1.b.1 [at least every 3 years] AAC-03
RA-1.b.2 [at least annually] GRM-08
GRM-09
GRM-10
GRM-11
IAM-07
RA-3 Risk Assessment X X RA-3b. [security assessment report] Guidance: Significant change is BCR-09
defined in NIST Special Publication GRM-02
RA-3c. [at least every three years or when a 800-37 Revision 1, Appendix F. GRM-08
significant change occurs] GRM-10
RA-3d. Requirement: to include GRM-11
RA-3e. [at least every three years or when a the Authorizing Official; for JAB
significant change occurs] authorizations to include FedRAMP
RA-5 Vulnerability Scanning X X RA-5a. [monthly operating RA-5a. Requirement: an accredited AAC-02
system/infrastructure; monthly web independent assessor scans TVM-02
applications and databases] operating systems/infrastructure,
web applications, and databases
RA-5d. [high-risk vulnerabilities mitigated once annually.
within thirty days from date of discovery; RA-5e. Requirement: to include the
moderate-risk vulnerabilities mitigated within Risk Executive; for JAB
ninety days from date of discovery] authorizations to include FedRAMP
RA-5 (6) Vulnerability Scanning | Automated Trend Analyses X RA-5(6) Guidance: include in AAC-02
Continuous Monitoring ISSO TVM-02
digest/report to Authorizing
Official
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
RA-5 (8) Vulnerability Scanning | Review Historic Audit Logs X RA-5 (8). Requirements: This IAM-02 Related to AU-6, covers
enhancement is required for all IAM-07 reporting on vulnerabilities,
high vulnerability scan findings. IVS-01 in most organizations this is
Guidance: While scanning tools IVS-12 associated with threat
may lable findings as high or IVS-13 modeling and identification
critical, the intent of the control is TVM-01 which can be used to
based around NIST's definition of determine identified risks.
high vulnerability.
SA-4 (2) Acquisition Process | Design / Implementation Information for Security X [to include security-relevant external system BCR-04 Implied from previous
Controls interfaces and high-level design] BCR-10 mapping to SA-5(3) which
CCC-02 NIST has incorporated into
CCC-03 SA-4(2)
SA-4 (8) Acquisition Process | Continuous Monitoring Plan X SA-4 (8). [at least the minimum requirement as SA-4 (8) Guidance: CSP must use No CCM Specific STA-04, STA-08 & STA-09
defined in control CA-7] the same security standards Mapping requirement refer to vendor assesments
regardless of where the system Identified not defined in performed at least annully
component or information system CCM but no reference to
service is aquired. continuous monitoring
SA-4 (9) Acquisition Process | Functions / Ports / Protocols / Services in Use X STA-03 Direct mapping - CCM
CCC-02 control describes
coordination of security
implementation during
design & development
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
SA-4 (10) Acquisition Process | Use of Approved PIV Products X X No CCM NIST control IAM-09? See notes for IA-8
Mapping has finer (1)
Identified granularity
This control also relates to
SA-4 (10)
SA-9 External Information System Services X X SA-9a. [FedRAMP Security Controls Baseline(s) CCC-02
if Federal information is processed or stored HRS-06
within the external system] STA-03
SA-9c. [Federal/FedRAMP Continuous STA-05
Monitoring requirements must be met for STA-09
external systems where Federal information is
processed or stored]
SA-9 (1) External Information Systems | Risk Assessments / Organizational Approvals X SA-9 (1) see Additional Requirement and SA-9 (1). Requirement: The service CCC-02
Guidance provider documents all existing GRM-11
outsourced security services and HRS-06
conducts a risk assessment of STA-03
future outsourced security STA-05
services. For JAB authorizations, STA-09
future planned outsourced
services are approved and
accepted by the JAB.
SA-9 (2) External Information Systems | Identification of Functions / Ports / Protocols X SA-9 (2). [All external systems where Federal STA-03 Direct mapping - STA-03
/ Services information is processed, transmitted or control describes
stored] coordination of security
implementation and how it
meets requirements
SA-9 (4) External Information Systems | Consistent Interests of Consumers and X SA-9 (4). [All external systems where Federal STA-05 STA-05 includes a reference
Providers information is processed, transmitted or to "Assessment and
stored] independent verification" of
providers, consistent with
the NIST description of SA-9
(4)
SA-9 (5) External Information Systems | Processing, Storage, and Service Location X SA-9 (5). [information processing, transmission, STA-05 Direct mapping: STA-05
information data, AND information services] includes a reference to
"Physical geographical
location of hosted services"
in the context of
establishing
customer/provider
agreements
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
SA-10 Developer Configuration Management X SA-10a. [development, implementation, AND SA-10e. Requirement: for JAB BCR-04
operation] authorizations, track security flaws BCR-10
and flaw resolution within the CCC-02
system, component, or service and CCC-03
report findings to organization-
defined personnel, to include
FedRAMP.
SA-10 (1) Developer Configuration Management | Software / Firmware Integrity X CCC-01 CCC-03 refers specifially to
Verification CCC-02 integrity of systems and
CCC-03 services
IVS-02
SA-11 (1) Developer Security Testing and Evaluation | Static Code Analysis X Requirement: SA-11 (1) or SA-11 BCR-04
(8) or both BCR-10
Requirement: The service provider CCC-02
documents in the Continuous CCC-03
Monitoring Plan, how newly DSI-05
developed code for the
information system is reviewed.
SA-11 (2) Developer Security Testing and Evaluation | Threat and Vulnerability X TVM-02 TVM-02 requires testnig to
Analyses ensure that vulnerabilities
are identified and
remediated
SA-11 (8) Developer Security Testing and Evaluation | Dynamic Code Analysis X Requirement: SA-11 (1) or SA-11 No CCM Specific
(8) or both Mapping requirement
Requirement: The service provider Identified not defined in
documents in the Continuous CCM
Monitoring Plan, how newly
developed code for the
information system is reviewed.
SC-7 (4) Boundary Protection | External Telecommunications Services X SC-7 (4). [at least annually] AIS-01
EKM-03
IVS-06
IVS-09
IVS-12
STA-09
SC-7 (7) Boundary Protection | Prevent Split Tunneling for Remote Devices X AIS-01
IVS-06
IVS-09
IVS-12
STA-09
SC-7 (8) Boundary Protection | Route Traffic to Authenticated Proxy Servers X AIS-01
IVS-06
IVS-09
IVS-12
STA-09
SC-7 (13) Boundary Protection | Isolation of Security Tools / Mechanisms / Support X SC-7 (13). Requirement: The AIS-01
Components service provider defines key IVS-06
information security tools, IVS-09
mechanisms, and support IVS-12
components associated with STA-09
system and security administration
and isolates those tools,
mechanisms, and support
components from other internal
information system components
via physically or logically separate
subnets.
SC-7 (18) Boundary Protection | Fail Secure X AIS-01
IVS-06
IVS-09
IVS-12
STA-09
SC-8 Transmission Confidentiality and Integrity X SC-8. [confidentiality AND integrity] AIS-01
AIS-04*
DSI-03
EKM-03
SC-8 (1) Transmission Confidentiality and Integrity | Cryptographic or Alternate X SC-8 (1). [prevent unauthorized disclosure of AIS-01
Physical Protection information AND detect changes to AIS-04*
information] [a hardened or alarmed carrier DSI-03
Protective Distribution System (PDS)] EKM-03
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
SC-10 Network Disconnect X SC-10. [no longer than 30 minutes for RAS- AIS-01
based sessions or no longer than 60 minutes IAM-12
for non-interactive user sessions]
SC-12 Cryptographic Key Establishment and Management X X SC-12 Guidance: Federally EKM-02
approved cryptography EKM-04
SC-12 (2) Cryptographic Key Establishment and Management | Symmetric Keys X SC-12 (2). [NIST FIPS-compliant] No CCM NIST control Could be EKM-02 & EKM-04
Mapping has finer - see note below for SC-
Identified granularity 12(3)
SC-12 (3) Cryptographic Key Establishment and Management | Asymmetric Keys X No CCM NIST control Not a true mapping, as this
Mapping has finer is a very specific control
Identified granularity which calls for a defined
process of generation,
storage and management of
asymmetric keys. EKM-02
could be a mapping due to
the fact that it specifically
talks about the process of
generation, storage and
management of
cryptographic keys,
however it does not state
whethere this is indicative
of asymmetric or symmetric
key pairings.
EKM-04 - could be a
mapping due to the aspect
that the ambiguity of the
control could be used to
encompass the level of
(class 3) key indicated in
FEDRamp control.
SC-15 Collaborative Computing Devices X X SC-15a. [no exceptions] No CCM Specific IVS-12 - Possibly, no other
Mapping requirement controls found for potential
Identified not defined in mapping (S.A.) IVS-12 could
CCM be a stretch for mapping as
this control seems to be
talking about peripherial
items such as prohibited
use of USB based items or
other peripherial devices
which can present a risk if
improperly utilized on
certain systems.
SC-19 Voice Over Internet Protocol X No CCM Specific Direct mapping not found
Mapping requirement (VoIP is not indicated in any
Identified not defined in CCM control)
CCM
SC-20 Secure Name / Address Resolution Service (Authoritative Source) X X IVS-06 Implied from previous
mapping to SC-20 (1) which
NIST has incorporated into
SC-20
SC-28 (1) Protection Of Information At Rest | Cryptographic Protection X EKM-02 EKM-02/03 - Could be
EKM-03 considered a true mapping
for this as each control
indicates that the control is
to adhere to the necessity
of preservation of integrity
and confidentiality of data.
SI-1 System and Information Integrity Policy and Procedures X X SI-1.b.1 [at least every 3 years] AAC-03
SI-1.b.2 [at least annually] CCC-04
DSI-04
GRM-06
GRM-08
GRM-09
IAM-07
TVM-02
SI-2 (3) Flaw Remediation | Time to Remediate Flaws / Benchmarks for Corrective X TVM-02 TVM-02 is the only possible
Actions mapping, however it could
be a stretch due to the fact
that it does not define a set
amount of time between
identification and
remediation.
SI-3 Malicious Code Protection X X SI-3.c.1 [at least weekly] [to include endpoints] AIS-03
SI-3.c.2 [to include alerting administrator or CCC-04
defined security personnel] TVM-01
SI-3 (7) Malicious Code Protection | Nonsignature-Based Detection X No CCM NIST control TVM-01 is a possible
Mapping has finer mapping however it is fairly
Identified granularity ambiguous and does not
directly make a distinction
between signature or
anamoly based malware
detection, the control
simply states malware
detection as an all
encompassing item.
SI-4 (1) Information System Monitoring | System-Wide Intrusion Detection System X IVS-01 IVS-01 is a mapping, as it
IVS-13 indicates adherence "to
applicable legal, statutory
or regulatory compliance
obligations"
SI-4 (2) Information System Monitoring | Automated Tools For Real-Time Analysis X AIS-03
CCC-04
GRM-11
IAM-05
IVS-01
SEF-03
SI-4 (4) Information System Monitoring | Inbound and Outbound Communications X SI-4 (4). [continually] AIS-03
Traffic CCC-04
GRM-11
IAM-05
IVS-01
SEF-03
SI-4 (5) Information System Monitoring | System-Generated Alerts X SI-4(5) Guidance: In accordance AIS-03
with the incident response plan. CCC-04
GRM-11
IAM-05
SI-4(14) Information System Monitoring | Wireless Intrusion Detection X IVS-01 No CCM NIST control IVS-12 is a possible mapping
SEF-03 Mapping has finer however it may be a stretch
Identified granularity due to the lack of calling
out WIDs distinctly. This
control does call out rogue
devices, therefore making
the mapping a match…
potentially.
DCS-03 may be a match due
to the indication of
identification of authorized
devices, say based on MAC
address which should only
allow authorized devices
(inclusive of wireless) to
connect to the network.
May be a stretch as it does
not specify wireless
distinctly.
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
SI-4 (16) Information System Monitoring | Correlate Monitoring Information X No CCM NIST control IVS-07 - Although
Mapping has finer ambiguous this could be a
Identified granularity mapping as it indicates the
need to implement
monitoring on all systems
which logically would
indicate the correlation
across multiple systems to
ensure proper reporting.
SEF-04 is a possible
mapping as it indicates the
necessity for monitoring
information, however it
does not indicate any
correlation or
syncronization between
other monitoring
technologies.
SI-4 (23) Information System Monitoring | Host-Based Devices X No CCM Specific IVS-06 - Could be used as a
Mapping requirement mapping however this may
Identified not defined in be a stretch because the
CCM FEDRamp control is
indicating the use of HIDs or
HIPs, with the CCM stating
network and virtualized
environments indicative of
NIDs/WIDs.
SI-5 Security Alerts, Advisories, and Directives X X SI-5a. [to include US-CERT] SEF-01
SI-5c. [to include system security personnel and SEF-03
administrators with configuration/patch- TVM-01
management responsibilities] TVM-02
SI-6 Security Function Verification X SI-6b [to include upon system startup and/or AIS-03
restart at least monthly] CCC-05
SI-6c [to include system administrators and
security personnel]
SI-6d [to include notification of system
administrators and security personnel]
SI-7 Software, Firmware, and Information Integrity X AAC-03 (note Areas implied by previous
3) mappings that have been
AIS-03 incorporated by NIST into
BCR-10 (note SI-7:
2) Note 1: AU-10 (5)
CCC-04 Note 2: CM-6 (3)
CCC-05 Note 3: SA-6
DSI-03 (note Note 4: SA-7
1)
IAM-09 (note
4)
IVS-12 (note
2)
SEF-04 (note
1)
SI-7 (1) Software, Firmware, and Information Integrity | Integrity Checks X SI-7 (1). [Selection to include security relevant STA-05
AIS-03 (note
events and at least monthly] 3)
CCC-04
TVM-01
CCC-05
TVM-01
ID CONTROL TITLE (NIST SP 800-53 Rev 4) Control Baseline FEDRAMP DEFINED ASSIGNMENT/SELECTION ADDITIONAL FEDRAMP CCM CROSS MAPPING TYPE NOTES
Low Moderate PARAMETERS REQUIREMENTS AND GUIDANCE REFERENCE STATUS
SI-7 (7) Software, Firmware, and Information Integrity | Integration of Detection and X AIS-03 AIS-03
Response IVS-01 is a mapping as this control
SEF-05 calls for input/output
TVM-02 integrity checks to ensure
prevention of tampering.