Mapeo CIS y NIST Espanol

This document contains mappings of the CIS Critical Security Controls (CIS Controls) and CIS Safeguards t
Revision 5
Last updated January 2023
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
controlsinfo@cisecurity.org
Editors
Thomas Sager
Contributors
Will Spier
License for Use
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
subject to the prior approval of CIS® (Center for Internet Security, Inc.).
atives 4.0 International Public License (the link can be found at
you are authorized to copy and redistribute the content as a framework for use by you, within your
ed that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if
materials. Users of the CIS Controls framework are also required to refer to
e that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is
Mapping Methodology
Mapping Methodology
This page describes the methodology used to map the CIS Critical Security Controls to NIST Special Publi
Reference link for NIST SP 800-53 R5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one Control will contribute
The general strategy used is to identify all of the aspects within a control and attempt to discern if both item
CIS Control 6.1 - Establish an Access Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h
For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights
If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• No relationship: This will be represented by a blank cell.
The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m
The CIS Controls are written with certain principles in mind, such as only having one ask per CIS Safeguar
relationship can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
Remember to download the CIS Controls Version 8 Guide where you can learn more about:
- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8/
A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/
Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
CIS CIS Sub- Security
Asset Type Title
Control Control Function
1 Inventory and Control of Enterprise Assets
Actively manage (inventory, track, and correct)
network devices; non-computing/Internet of Th
virtually, remotely, and those within cloud envi
monitored and protected within the enterprise.
remove or remediate.
Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory


1 1.2 Devices Respond Address Unauthorized Assets

1 1.3 Devices Detect Utilize an Active Discovery Tool
Use Dynamic Host Configuration

1 1.4 Devices Identify Protocol (DHCP) Logging to
Update Enterprise Asset Inventory
Use a Passive Asset Discovery

1 1.5 Devices Detect
Tool
Use a Passive Asset Discovery

Tool
2 Inventory and Control of Software Assets

Actively manage (inventory, track, and correct)
only authorized software is installed and can ex
prevented from installation or execution.
Establish and Maintain a Software

2 2.1 Applications Identify
Inventory

Inventory

Inventory
Ensure Authorized Software is

Currently Supported
2 2.3 Applications Respond Address Unauthorized Software

Utilize Automated Software

2 2.4 Applications Detect
Inventory Tools
2 2.5 Applications Protect Allowlist Authorized Software
2 2.5 Applications Protect Allowlist Authorized Software
2 2.6 Applications Protect Allowlist Authorized Libraries
2 2.6 Applications Protect Allowlist Authorized Libraries
2 2.7 Applications Protect Allowlist Authorized Scripts
3 Data Protection
Develop processes and technical controls to id
Establish and Maintain a Data
3 3.1 Data Identify
Management Process

3 3.1 Data Identify
Management Process

3 3.1 Data Identify
Management Process

3 3.2 Data Identify
Inventory

3 3.2 Data Identify
Inventory

3 3.2 Data Identify
Inventory

3 3.2 Data Identify
Inventory

3 3.2 Data Identify
Inventory
Configure Data Access Control

3 3.3 Data Protect
Lists

3 3.3 Data Protect
Lists

3 3.3 Data Protect
Lists

3 3.3 Data Protect
Lists
3 3.4 Data Protect Enforce Data Retention

3 3.4 Data Protect Enforce Data Retention
3 3.5 Data Protect Securely Dispose of Data
3 3.5 Data Protect Securely Dispose of Data
3 3.6 Devices Protect Encrypt Data on End-User Devices

Classification Scheme
3 3.8 Data Identify Document Data Flows
3 3.8 Data Identify Document Data Flows
3 3.9 Data Protect Encrypt Data on Removable Media
3 3.9 Data Protect Encrypt Data on Removable Media
3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.11 Data Protect Encrypt Sensitive Data at Rest
Segment Data Processing and

3 3.12 Network Protect
Storage Based on Sensitivity
Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution

3 3.13 Data Protect
Solution

3 3.13 Data Protect
Solution

3 3.13 Data Protect
Solution
3 3.14 Data Detect Log Sensitive Data Access
4 Secure Configuration of Enterprise Assets and

Establish and maintain the secure configuratio
network devices; non-computing/IoT devices; a
Establish and Maintain a Secure
4 4.1 Applications Protect
Configuration Process








4 4.2 Network Protect Configuration Process for Network
Infrastructure
Infrastructure
Infrastructure
Infrastructure

Infrastructure

Infrastructure

Infrastructure

Infrastructure
Configure Automatic Session

4 4.3 Users Protect
Locking on Enterprise Assets

4 4.3 Users Protect

4 4.3 Users Protect

4 4.3 Users Protect
Implement and Manage a Firewall
4 4.4 Devices Protect
on Servers

on Servers

on Servers

on End-User Devices

on End-User Devices
Securely Manage Enterprise

Assets and Software
Manage Default Accounts on

4 4.7 Users Protect
Enterprise Assets and Software
Uninstall or Disable Unnecessary

4 4.8 Devices Protect Services on Enterprise Assets and
Software
Uninstall or Disable Unnecessary

4 4.8 Devices Protect Services on Enterprise Assets and
Software
Configure Trusted DNS Servers on

Enterprise Assets

Enterprise Assets
Enterprise Assets
Enforce Automatic Device Lockout

4 4.10 Devices Respond
on Portable End-User Devices
Enforce Automatic Device Lockout

4 4.10 Devices Respond
Enforce Remote Wipe Capability

Enforce Remote Wipe Capability

Separate Enterprise Workspaces

on Mobile End-User Devices
Separate Enterprise Workspaces

on Mobile End-User Devices
5 Account Management
Use processes and tools to assign and manage

accounts, as well as service accounts, to enter
Establish and Maintain an
5 5.1 Users Identify
Inventory of Accounts
5 5.2 Users Protect Use Unique Passwords
5 5.3 Users Respond Disable Dormant Accounts
Restrict Administrator Privileges to

5 5.4 Users Protect
Dedicated Administrator Accounts
Restrict Administrator Privileges to

5 5.4 Users Protect
Dedicated Administrator Accounts
5 5.5 Users Identify
Inventory of Service Accounts
5 5.6 Users Protect Centralize Account Management
6 Access Control Management

Use processes and tools to create, assign, man
and service accounts for enterprise assets and
Establish an Access Granting

6 6.1 Users Protect
Process

6 6.1 Users Protect
Process

6 6.1 Users Protect
Process

6 6.1 Users Protect
Process
6 6.1 Users Protect
Process
Establish an Access Revoking

6 6.2 Users Protect
Process

6 6.2 Users Protect
Process

6 6.2 Users Protect
Process
Require MFA for Externally-

6 6.3 Users Protect
Exposed Applications
Require MFA for Externally-

6 6.3 Users Protect
Exposed Applications
Require MFA for Remote Network

6 6.4 Users Protect
Access

6 6.4 Users Protect
Access

6 6.4 Users Protect
Access
Require MFA for Administrative

6 6.5 Users Protect
Access
6 6.6 Users Identify Inventory of Authentication and
Authorization Systems

6 6.6 Users Identify Inventory of Authentication and
Authorization Systems
6 6.7 Users Protect Centralize Access Control
6 6.7 Users Protect Centralize Access Control
Define and Maintain Role-Based

6 6.8 Data Protect
Access Control

6 6.8 Data Protect
Access Control

6 6.8 Data Protect
Access Control

6 6.8 Data Protect
Access Control

6 6.8 Data Protect
Access Control

6 6.8 Data Protect
Access Control
7 Continuous Vulnerability Management

Develop a plan to continuously assess and trac
infrastructure, in order to remediate, and minim
industry sources for new threat and vulnerabili
Establish and Maintain a

Vulnerability Management Process

7 7.2 Applications Respond
Remediation Process
Perform Automated Operating

System Patch Management

Perform Automated Application
Patch Management

Patch Management
Patch Management
Patch Management
Perform Automated Vulnerability

Scans of Internal Enterprise Assets
Perform Automated Vulnerability

7 7.6 Applications Identify Scans of Externally-Exposed
Enterprise Assets
7 7.7 Applications Respond Remediate Detected Vulnerabilities

8 Audit Log Management

Collect, alert, review, and retain audit logs of ev
Establish and Maintain an Audit

Log Management Process
Establish and Maintain an Audit

Log Management Process
8 8.2 Network Detect Collect Audit Logs
Ensure Adequate Audit Log

Storage
8 8.4 Network Protect Standardize Time Synchronization
8 8.5 Network Detect Collect Detailed Audit Logs

8 8.6 Network Detect Collect DNS Query Audit Logs
8 8.7 Network Detect Collect URL Request Audit Logs
8 8.8 Network Detect Collect Command-Line Audit Logs
8 8.9 Devices Detect Centralize Audit Logs
8 8.10 Network Protect Retain Audit Logs
8 8.11 Network Detect Conduct Audit Log Reviews

8 8.12 Data Detect Collect Service Provider Logs
9 Email and Web Browser Protections

Improve protections and detections of threats f
manipulate human behavior through direct eng
Ensure Use of Only Fully

9 9.1 Applications Protect Supported Browsers and Email
Clients
Ensure Use of Only Fully
9 9.1 Applications Protect Supported Browsers and Email
Clients
9 9.2 Network Protect Use DNS Filtering Services
Maintain and Enforce Network-

Based URL Filters
Maintain and Enforce Network-

Based URL Filters
Restrict Unnecessary or
9 9.4 Applications Protect Unauthorized Browser and Email
Client Extensions
Client Extensions
Client Extensions
9 9.5 Network Protect Implement DMARC
9 9.6 Network Protect Block Unnecessary File Types
9 9.6 Network Protect Block Unnecessary File Types
Deploy and Maintain Email Server

Anti-Malware Protections
Deploy and Maintain Email Server

Anti-Malware Protections
10 Malware Defenses
Prevent or control the installation, spread, and
Deploy and Maintain Anti-Malware

Software
Configure Automatic Anti-Malware
Signature Updates
Disable Autorun and Autoplay for
Removable Media

Scanning of Removable Media

Scanning of Removable Media
10 10.5 Devices Protect Enable Anti-Exploitation Features
Centrally Manage Anti-Malware

Software
Use Behavior-Based Anti-Malware

Software
11 Data Recovery
Establish and maintain data recovery practices
trusted state.
11 11.1 Data Recover
Recovery Process

Recovery Process
11 11.2 Data Recover Perform Automated Backups
11 11.2 Data Recover Perform Automated Backups
11 11.3 Data Protect Protect Recovery Data
Establish and Maintain an Isolated

Instance of Recovery Data
Establish and Maintain an Isolated
Instance of Recovery Data
11 11.5 Data Recover Test Data Recovery
11 11.5 Data Recover Test Data Recovery
Network Infrastructure
12
Management
Establish, implement, and actively manage (tra
exploiting vulnerable network services and acc
Ensure Network Infrastructure is
Up-to-Date

Network Architecture



Securely Manage Network

Infrastructure

Infrastructure

Infrastructure
Establish and Maintain
12 12.4 Network Identify
Architecture Diagram(s)
Establish and Maintain

Architecture Diagram(s)
Centralize Network Authentication,

Authorization, and Auditing (AAA)
Use of Secure Network

12 12.6 Network Protect Management and Communication
Protocols
Use of Secure Network
12 12.6 Network Protect Management and Communication
Protocols
Ensure Remote Devices Utilize a
12 12.7 Devices Protect VPN and are Connecting to an
Enterprise’s AAA Infrastructure
Establish and Maintain Dedicated
12 12.8 Devices Protect Computing Resources for All
Administrative Work
13 Network Monitoring and Defense
Operate processes and tooling to establish and
security threats across the enterprise’s networ
13 13.1 Network Detect Centralize Security Event Alerting

Deploy a Host-Based Intrusion

Detection Solution
Deploy a Network Intrusion

13 13.3 Network Detect
Detection Solution

Detection Solution
Perform Traffic Filtering Between

Network Segments
Perform Traffic Filtering Between

Network Segments
Manage Access Control for

Remote Assets

Remote Assets

Remote Assets

Remote Assets
13 13.6 Network Detect Collect Network Traffic Flow Logs
13 13.6 Network Detect Collect Network Traffic Flow Logs
Deploy a Host-Based Intrusion

Prevention Solution

Prevention Solution

Prevention Solution
13 13.9 Devices Protect Deploy Port-Level Access Control
13 13.9 Devices Protect Deploy Port-Level Access Control
13 13.10 Network Protect Perform Application Layer Filtering
Tune Security Event Alerting

Thresholds
14 Security Awareness and Skills Training

Establish and maintain a security awareness pr
conscious and properly skilled to reduce cyber
Establish and Maintain a Security

14 14.1 N/A Protect
Awareness Program
14 14.1 N/A Protect
Awareness Program

14 14.1 N/A Protect
Awareness Program
Train Workforce Members to

14 14.2 N/A Protect Recognize Social Engineering
Attacks
Train Workforce Members on
14 14.3 N/A Protect
Authentication Best Practices
Train Workforce on Data Handling

14 14.4 N/A Protect
Best Practices

14 14.5 N/A Protect Causes of Unintentional Data
Exposure
14 14.6 N/A Protect Recognizing and Reporting
Security Incidents
Train Workforce on How to Identify
and Report if Their Enterprise
14 14.7 N/A Protect
Assets are Missing Security
Updates
Train Workforce on the Dangers of

Connecting to and Transmitting
14 14.8 N/A Protect
Enterprise Data Over Insecure
Networks
Conduct Role-Specific Security

14 14.9 N/A Protect
Awareness and Skills Training
15 Service Provider Management

Develop a process to evaluate service provider
platforms or processes, to ensure these provid

15 15.1 N/A Identify
Inventory of Service Providers
Establish and Maintain a Service
Provider Management Policy




15 15.2 N/A Identify Classify Service Providers
15 15.2 N/A Identify Classify Service Providers
Ensure Service Provider Contracts

Include Security Requirements


15 15.4 N/A Protect Assess Service Providers
15 15.5 N/A Identify Monitor Service Providers

Securely Decommission Service

15 15.7 Data Protect
Providers
16 Application Software Security
Manage the security life cycle of in-house deve

security weaknesses before they can impact th

Application Development Process

Application Development Process
Establish and Maintain a Process
16 16.2 Applications Protect to Accept and Address Software
Vulnerabilities

Vulnerabilities

Vulnerabilities
Vulnerabilities
Perform Root Cause Analysis on

Security Vulnerabilities
Establish and Manage an

16 16.4 Applications Protect Inventory of Third-Party Software
Components
Use Up-to-Date and Trusted Third-

Party Software Components
Establish and Maintain a Severity

16 16.6 Applications Protect Rating System and Process for
Application Vulnerabilities
Use Standard Hardening
16 16.7 Applications Protect Configuration Templates for
Application Infrastructure
Use Standard Hardening

16 16.7 Applications Protect Configuration Templates for
Application Infrastructure
Separate Production and Non-

Production Systems
Train Developers in Application

16 16.9 Applications Protect Security Concepts and Secure
Coding
Apply Secure Design Principles in

Application Architectures
Apply Secure Design Principles in

Application Architectures
Leverage Vetted Modules or

16 16.11 Applications Protect Services for Application Security
Components
Implement Code-Level Security
Checks
Implement Code-Level Security

Checks
Conduct Application Penetration

Testing
16 16.14 Applications Protect Conduct Threat Modeling
17 Incident Response Management
Establish a program to develop and maintain an

roles, training, and communications) to prepare
Designate Personnel to Manage

17 17.1 N/A Respond
Incident Handling

17 17.1 N/A Respond
Incident Handling
17 17.1 N/A Respond
Incident Handling
Establish and Maintain Contact

17 17.2 N/A Respond Information for Reporting Security
Incidents

Incidents

Incidents

17 17.3 N/A Respond Enterprise Process for Reporting
Incidents

Incidents

Incidents
Incidents
Establish and Maintain an Incident

17 17.4 N/A Respond
Response Process

17 17.4 N/A Respond
Response Process

17 17.4 N/A Respond
Response Process

17 17.4 N/A Respond
Response Process

17 17.4 N/A Respond
Response Process
Assign Key Roles and

17 17.5 N/A Respond
Responsibilities
Assign Key Roles and

17 17.5 N/A Respond
Responsibilities
Define Mechanisms for

17 17.6 N/A Respond Communicating During Incident
Response
Define Mechanisms for
17 17.6 N/A Respond Communicating During Incident
Response
Conduct Routine Incident

17 17.7 N/A Recover
Response Exercises
17 17.8 N/A Recover Conduct Post-Incident Reviews
Establish and Maintain Security

17 17.9 N/A Recover
Incident Thresholds
Establish and Maintain Security

17 17.9 N/A Recover
Incident Thresholds
18 Penetration Testing
Test the effectiveness and resiliency of enterpr

(people, processes, and technology), and simu

Penetration Testing Program
Perform Periodic External
Penetration Tests
Remediate Penetration Test

Findings
18 18.4 Network Protect Validate Security Measures
Perform Periodic Internal

Penetration Tests
Description
of Enterprise Assets
tory, track, and correct) all enterprise assets (end-user devices, including portable and mobile;
omputing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically,
those within cloud environments, to accurately know the totality of assets that need to be
ed within the enterprise. This will also support identifying unauthorized and unmanaged assets to
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory
records the network address (if static), hardware address, machine name, enterprise asset
owner, department for each asset, and whether the asset has been approved to connect to the
network. For mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure physically, virtually,
remotely, and those within cloud environments. Additionally, it includes assets that are
regularly connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more
frequently.
frequently.
frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise
may choose to remove the asset from the network, deny the asset from connecting remotely to
the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to
update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset
inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review
and use scans to update the enterprise’s asset inventory at least weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review
and use scans to update the enterprise’s asset inventory at least weekly, or more frequently.
of Software Assets
tory, track, and correct) all software (operating systems and applications) on the network so that
re is installed and can execute, and that unauthorized and unmanaged software is found and
tion or execution.
Establish and maintain a detailed inventory of all licensed software installed on enterprise
assets. The software inventory must document the title, publisher, initial install/use date, and
business purpose for each entry; where appropriate, include the Uniform Resource Locator
(URL), app store(s), version(s), deployment mechanism, and decommission date. Review and
update the software inventory bi-annually, or more frequently.
Ensure that only currently supported software is designated as authorized in the software
inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of
the enterprise’s mission, document an exception detailing mitigating controls and residual risk
acceptance. For any unsupported software without an exception documentation, designate as
unauthorized. Review the software list to verify software support at least monthly, or more
frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives
a documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the
discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized software
can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls, such as application allowlisting, to ensure that only authorized software
can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized
libraries from loading into a system process. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized
libraries from loading into a system process. Reassess bi-annually, or more frequently.
Use technical controls, such as digital signatures and version control, to ensure that only
authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block
unauthorized scripts from executing. Reassess bi-annually, or more frequently.
technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a data management process. In the process, address data sensitivity,
data owner, handling of data, data retention limits, and disposal requirements, based on
sensitivity and retention standards for the enterprise. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process.
Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum,
with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.
applications.
applications.
applications.
Retain data according to the enterprise’s data management process. Data retention must
include both minimum and maximum timelines.
Retain data according to the enterprise’s data management process. Data retention must
include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the
disposal process and method are commensurate with the data sensitivity.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the
disposal process and method are commensurate with the data sensitivity.
Encrypt data on end user devices, including workstations, laptops, tablets, and smartphones
containing sensitive data. Example implementations include, but are not limited to, Windows
BitLocker, Apple FileVault, Linux dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises
may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data
according to those labels. Review and update the classification scheme annually, or when
significant enterprise changes occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should
be based on the enterprise’s data management process. Review and update documentation
Document data flows. Data flow documentation includes service provider data flows and should
be based on the enterprise’s data management process. Review and update documentation
Encrypt data on removable media.
Encrypt data on removable media.
Encrypt sensitive data in transit. Example implementations can include: Transport Layer
Security (TLS) and Open Secure Shell (OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive
data. Storage-layer encryption, also known as server-side encryption, meets the minimum
requirement of this Safeguard. Additional encryption methods may include application-layer
encryption, also known as client-side encryption, where access to the data storage device(s)
does not permit access to the plain-text data.
Segment data processing and storage based on the sensitivity of the data. Do not process
sensitive data on enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to
identify all sensitive data stored, processed, or transmitted through enterprise assets, including
those located onsite or at a remote service provider, and update the enterprise's sensitive data
inventory.
inventory.
inventory.
inventory.
Log sensitive data access, including modification and disposal.
f Enterprise Assets and Software

the secure configuration of enterprise assets (end-user devices, including portable and mobile;
omputing/IoT devices; and servers) and software (operating systems and applications).
Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software
(operating systems and applications). Review and update documentation annually, or when
Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Safeguard.
Safeguard.
Safeguard.
Safeguard.
Safeguard.
Safeguard.
Safeguard.
Configure automatic session locking on enterprise assets after a defined period of inactivity.
For general purpose operating systems, the period must not exceed 15 minutes. For mobile
end-user devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example implementations
include a virtual firewall, operating system firewall, or a third-party firewall agent.


Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a
default-deny rule that drops all traffic except those services and ports that are explicitly
allowed.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a
default-deny rule that drops all traffic except those services and ports that are explicitly
allowed.
Securely manage enterprise assets and software. Example implementations include managing
configuration through version-controlled-infrastructure-as-code and accessing administrative
interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer
Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet
(Teletype Network) and HTTP, unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and
other pre-configured vendor accounts. Example implementations can include: disabling default
accounts or making them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such as an

unused file sharing service, web application module, or service function.
Uninstall or disable unnecessary services on enterprise assets and software, such as an

unused file sharing service, web application module, or service function.
Configure trusted DNS servers on enterprise assets. Example implementations include:

configuring assets to use enterprise-controlled DNS servers and/or reputable externally
accessible DNS servers.

Enforce automatic device lockout following a predetermined threshold of local failed

authentication attempts on portable end-user devices, where supported. For laptops, do not
allow more than 20 failed authentication attempts; for tablets and smartphones, no more than
10 failed authentication attempts. Example implementations include Microsoft® InTune Device
Lock and Apple® Configuration Profile maxFailedAttempts.
Enforce automatic device lockout following a predetermined threshold of local failed

authentication attempts on portable end-user devices, where supported. For laptops, do not
allow more than 20 failed authentication attempts; for tablets and smartphones, no more than
10 failed authentication attempts. Example implementations include Microsoft® InTune Device
Lock and Apple® Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed
appropriate such as lost or stolen devices, or when an individual no longer supports the
enterprise.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed
appropriate such as lost or stolen devices, or when an individual no longer supports the
enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal applications
and data.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal applications
and data.
ls to assign and manage authorization to credentials for user accounts, including administrator
rvice accounts, to enterprise assets and software.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory
must include both user and administrator accounts. The inventory, at a minimum, should
contain the person’s name, username, start/stop dates, and department. Validate that all active
accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a
minimum, an 8-character password for accounts using MFA and a 14-character password for
accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets.

Conduct general computing activities, such as internet browsing, email, and productivity suite
use, from the user’s primary, non-privileged account.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets.
Conduct general computing activities, such as internet browsing, email, and productivity suite
use, from the user’s primary, non-privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must
contain department owner, review date, and purpose. Perform service account reviews to
validate that all active accounts are authorized, on a recurring schedule at a minimum
quarterly, or more frequently.
Centralize account management through a directory or identity service.
ls to create, assign, manage, and revoke access credentials and privileges for user, administrator,
or enterprise assets and software.
Establish and follow a process, preferably automated, for granting access to enterprise assets
upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets,
through disabling accounts immediately upon termination, rights revocation, or role change of a
user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit
trails.
trails.
trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where
supported. Enforcing MFA through a directory service or SSO provider is a satisfactory
implementation of this Safeguard.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where

supported. Enforcing MFA through a directory service or SSO provider is a satisfactory
implementation of this Safeguard.
Require MFA for remote network access.
Require MFA for all administrative access accounts, where supported, on all enterprise assets,
whether managed on-site or through a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization
systems, including those hosted on-site or at a remote service provider. Review and update the
inventory, at a minimum, annually, or more frequently.
Establish and maintain an inventory of the enterprise’s authentication and authorization

systems, including those hosted on-site or at a remote service provider. Review and update the
inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider,
where supported.
Centralize access control for all enterprise assets through a directory service or SSO provider,
where supported.
Define and maintain role-based access control, through determining and documenting the
access rights necessary for each role within the enterprise to successfully carry out its
assigned duties. Perform access control reviews of enterprise assets to validate that all
privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
ty Management
nuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
to remediate, and minimize, the window of opportunity for attackers. Monitor public and private
w threat and vulnerability information.
Establish and maintain a documented vulnerability management process for enterprise assets.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation

process, with monthly, or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch management
on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch management on a
monthly, or more frequent, basis.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more

frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-
compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-

compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or

more frequent, basis, based on the remediation process.


nd retain audit logs of events that could help detect, understand, or recover from an attack.
Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has
been enabled across enterprise assets.
Collect audit logs. Ensure that logging has been enabled across end-user devices,
applications, and network infrastructure.
Collect audit logs. Ensure that logging has been enabled across end-user devices,
applications, and network infrastructure.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s
audit log management process.
Standardize time synchronization. Configure at least two synchronized time sources across
enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event
source, date, username, timestamp, source addresses, destination addresses, and other
useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from
PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a
potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting
authentication and authorization events, data creation and disposal events, and user
management events.
r Protections
d detections of threats from email and web vectors, as these are opportunities for attackers to
avior through direct engagement.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise,
only using the latest version of browsers and email clients provided through the vendor.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise,
only using the latest version of browsers and email clients provided through the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious
domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to
potentially malicious or unapproved websites. Example implementations include category-
based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all
enterprise assets.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to
potentially malicious or unapproved websites. Example implementations include category-
based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all
enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or

email client plugins, extensions, and add-on applications.


To lower the chance of spoofed or modified emails from valid domains, implement DMARC
policy and verification, starting with implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning
and/or sandboxing.
Deploy and maintain email server anti-malware protections, such as attachment scanning
and/or sandboxing.
nstallation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Deploy and maintain anti-malware software on all enterprise assets.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as
Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or
Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and
Establish and maintain a data recovery process. In the process, address the scope of data
recovery activities, recovery prioritization, and the security of backup data. Review and update
Safeguard.
Establish and maintain a data recovery process. In the process, address the scope of data
recovery activities, recovery prioritization, and the security of backup data. Review and update
Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more
frequently, based on the sensitivity of the data.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more
frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data
separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example implementations
include, version controlling backup destinations through offline, cloud, or off-site systems or
services.
Establish and maintain an isolated instance of recovery data. Example implementations
include, version controlling backup destinations through offline, cloud, or off-site systems or
services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise
assets.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise
assets.
nd actively manage (track, report, correct) network devices, in order to prevent attackers from
etwork services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include running the
latest stable release of software and/or using currently supported network-as-a-service (NaaS)
offerings. Review software versions monthly, or more frequently, to verify software support.
Establish and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum.
Securely manage network infrastructure. Example implementations include version-controlled-

infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.


Establish and maintain architecture diagram(s) and/or other network system documentation.
Establish and maintain architecture diagram(s) and/or other network system documentation.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected
Access 2 (WPA2) Enterprise or greater).
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected
Access 2 (WPA2) Enterprise or greater).
Require users to authenticate to enterprise-managed VPN and authentication services prior to

accessing enterprise resources on end-user devices.


Establish and maintain dedicated computing resources, either physically or logically separated,
for all administrative tasks or tasks requiring administrative access. The computing resources
should be segmented from the enterprise's primary network and not be allowed internet
access.
tooling to establish and maintain comprehensive network monitoring and defense against
the enterprise’s network infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best
practice implementation requires the use of a SIEM, which includes vendor-defined event
correlation alerts. A log analytics platform configured with security-relevant correlation alerts
also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate
and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.

Example implementations include the use of a Network Intrusion Detection System (NIDS) or
equivalent cloud service provider (CSP) service.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.

Example implementations include the use of a Network Intrusion Detection System (NIDS) or
equivalent cloud service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connecting to enterprise resources. Determine
amount of access to enterprise resources based on: up-to-date anti-malware software
installed, configuration compliance with the enterprise’s secure configuration process, and
ensuring the operating system and applications are up-to-date.
Collect network traffic flow logs and/or network traffic to review and alert upon from network
devices.
Collect network traffic flow logs and/or network traffic to review and alert upon from network
devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate

and/or supported. Example implementations include use of an Endpoint Detection and
Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations

include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Deploy a network intrusion prevention solution, where appropriate. Example implementations

include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network
access control protocols, such as certificates, and may incorporate user and/or device
authentication.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network
access control protocols, such as certificates, and may incorporate user and/or device
authentication.
Perform application layer filtering. Example implementations include a filtering proxy,

application layer firewall, or gateway.
Tune security event alerting thresholds monthly, or more frequently.
d Skills Training
a security awareness program to influence behavior among the workforce to be security
y skilled to reduce cybersecurity risks to the enterprise.
Establish and maintain a security awareness program. The purpose of a security awareness
program is to educate the enterprise’s workforce on how to interact with enterprise assets and
data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and
update content annually, or when significant enterprise changes occur that could impact this
Safeguard.
Safeguard.
Safeguard.
Train workforce members to recognize social engineering attacks, such as phishing, pre-
texting, and tailgating.
Train workforce members on authentication best practices. Example topics include MFA,
password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive data. This also includes training workforce members on clear screen and desk best
practices, such as locking their screen when they step away from their enterprise asset,
erasing physical and virtual whiteboards at the end of meetings, and storing data and assets
securely.
Train workforce members to be aware of causes for unintentional data exposure. Example
topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing
data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report
such an incident.
Train workforce to understand how to verify and report out-of-date software patches or any
failures in automated processes and tools. Part of this training should include notifying IT
personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include
guidance to ensure that all users securely configure their home network infrastructure.
Conduct role-specific security awareness and skills training. Example implementations include
secure system administration courses for IT professionals, OWASP® Top 10 vulnerability
awareness and prevention training for web application developers, and advanced social
engineering awareness training for high-profile roles.
valuate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT
, to ensure these providers are protecting those platforms and data appropriately.
Establish and maintain an inventory of service providers. The inventory is to list all known
service providers, include classification(s), and designate an enterprise contact for each
service provider. Review and update the inventory annually, or when significant enterprise
Establish and maintain a service provider management policy. Ensure the policy addresses the
classification, inventory, assessment, monitoring, and decommissioning of service providers.
Review and update the policy annually, or when significant enterprise changes occur that could
impact this Safeguard.
Classify service providers. Classification consideration may include one or more

characteristics, such as data sensitivity, data volume, availability requirements, applicable
regulations, inherent risk, and mitigated risk. Update and review classifications annually, or
when significant enterprise changes occur that could impact this Safeguard.
Classify service providers. Classification consideration may include one or more

characteristics, such as data sensitivity, data volume, availability requirements, applicable
regulations, inherent risk, and mitigated risk. Update and review classifications annually, or
when significant enterprise changes occur that could impact this Safeguard.
Ensure service provider contracts include security requirements. Example requirements may
include minimum security program requirements, security incident and/or data breach
notification and response, data encryption requirements, and data disposal commitments.
These security requirements must be consistent with the enterprise’s service provider
management policy. Review service provider contracts annually to ensure contracts are not
missing security requirements.
Assess service providers consistent with the enterprise’s service provider management policy.
Assessment scope may vary based on classification(s), and may include review of
standardized assessment reports, such as Service Organization Control 2 (SOC 2) and
Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or
other appropriately rigorous processes. Reassess service providers annually, at a minimum, or
with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy.
Monitoring may include periodic reassessment of service provider compliance, monitoring
service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service
account deactivation; termination of data flows; and secure disposal of enterprise data within
service provider systems.
ecurity
e cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate
efore they can impact the enterprise.
Establish and maintain a secure application development process. In the process, address
such items as: secure application design standards, secure coding practices, developer
training, vulnerability management, security of third-party code, and application security testing
procedures. Review and update documentation annually, or when significant enterprise
Establish and maintain a secure application development process. In the process, address
such items as: secure application design standards, secure coding practices, developer
training, vulnerability management, security of third-party code, and application security testing
procedures. Review and update documentation annually, or when significant enterprise
Establish and maintain a process to accept and address reports of software vulnerabilities,
including providing a means for external entities to report. The process is to include such items
as: a vulnerability handling policy that identifies reporting process, responsible party for
handling vulnerability reports, and a process for intake, assignment, remediation, and
remediation testing. As part of the process, use a vulnerability tracking system that includes
severity ratings, and metrics for measuring timing for identification, analysis, and remediation of
vulnerabilities. Review and update documentation annually, or when significant enterprise
Third-party application developers need to consider this an externally-facing policy that helps to
set expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root
cause analysis is the task of evaluating underlying issues that create vulnerabilities in code,
and allows development teams to move beyond just fixing individual vulnerabilities as they
arise.
Establish and manage an updated inventory of third-party components used in development,

often referred to as a “bill of materials,” as well as components slated for future use. This
inventory is to include any risks that each third-party component could pose. Evaluate the list at
least monthly to identify any changes or updates to these components, and validate that the
component is still supported.
Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate security. Acquire these
components from trusted sources or evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that
facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process
includes setting a minimum level of security acceptability for releasing code or applications.
Severity ratings bring a systematic way of triaging vulnerabilities that improves risk
management and helps ensure the most severe bugs are fixed first. Review and update the
system and process annually.
Use standard, industry-recommended hardening configuration templates for application
infrastructure components. This includes underlying servers, databases, and web servers, and
applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components.
Do not allow in-house developed software to weaken configuration hardening.
Use standard, industry-recommended hardening configuration templates for application

infrastructure components. This includes underlying servers, databases, and web servers, and
applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components.
Do not allow in-house developed software to weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities. Training can include general security
principles and application security standard practices. Conduct training at least annually and
design in a way to promote security within the development team, and build a culture of
security among the developers.
Apply secure design principles in application architectures. Secure design principles include the
concept of least privilege and enforcing mediation to validate every operation that the user
makes, promoting the concept of "never trust user input." Examples include ensuring that
explicit error checking is performed and documented for all input, including for size, data type,
and acceptable ranges or formats. Secure design also means minimizing the application
infrastructure attack surface, such as turning off unprotected ports and services, removing
unnecessary programs and files, and renaming or removing default accounts.
Apply secure design principles in application architectures. Secure design principles include the
concept of least privilege and enforcing mediation to validate every operation that the user
makes, promoting the concept of "never trust user input." Examples include ensuring that
explicit error checking is performed and documented for all input, including for size, data type,
and acceptable ranges or formats. Secure design also means minimizing the application
infrastructure attack surface, such as turning off unprotected ports and services, removing
unnecessary programs and files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity
management, encryption, and auditing and logging. Using platform features in critical security
functions will reduce developers’ workload and minimize the likelihood of design or
implementation errors. Modern operating systems provide effective mechanisms for
identification, authentication, and authorization and make those mechanisms available to
applications. Use only standardized, currently accepted, and extensively reviewed encryption
algorithms. Operating systems also provide mechanisms to create and maintain secure audit
logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure
coding practices are being followed.
Apply static and dynamic analysis tools within the application life cycle to verify that secure
coding practices are being followed.
Conduct application penetration testing. For critical applications, authenticated penetration

testing is better suited to finding business logic vulnerabilities than code scanning and
automated security testing. Penetration testing relies on the skill of the tester to manually
manipulate an application as an authenticated and unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing
application security design flaws within a design, before code is created. It is conducted
through specially trained individuals who evaluate the application design and gauge security
risks for each entry point and access level. The goal is to map out the application, architecture,
and infrastructure in a structured way to understand its weaknesses.
develop and maintain an incident response capability (e.g., policies, plans, procedures, defined
mmunications) to prepare, detect, and quickly respond to an attack.
Designate one key person, and at least one backup, who will manage the enterprise’s incident
handling process. Management personnel are responsible for the coordination and
documentation of incident response and recovery efforts and can consist of employees internal
to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor,
designate at least one person internal to the enterprise to oversee any third-party work. Review
Establish and maintain contact information for parties that need to be informed of security
incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber
insurance providers, relevant government agencies, Information Sharing and Analysis Center
(ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is
up-to-date.
up-to-date.
up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The
process includes reporting timeframe, personnel to report to, mechanism for reporting, and the
minimum information to be reported. Ensure the process is publicly available to all of the
workforce. Review annually, or when significant enterprise changes occur that could impact
this Safeguard.
this Safeguard.
this Safeguard.
this Safeguard.
Establish and maintain an incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT,
information security, facilities, public relations, human resources, incident responders, and
analysts, as applicable. Review annually, or when significant enterprise changes occur that
Assign key roles and responsibilities for incident response, including staff from legal, IT,
information security, facilities, public relations, human resources, incident responders, and
analysts, as applicable. Review annually, or when significant enterprise changes occur that
Determine which primary and secondary mechanisms will be used to communicate and report
during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in
mind that certain mechanisms, such as emails, can be affected during a security incident.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report
during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in
mind that certain mechanisms, such as emails, can be affected during a security incident.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved
in the incident response process to prepare for responding to real-world incidents. Exercises
need to test communication channels, decision making, and workflows. Conduct testing on an
annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through
identifying lessons learned and follow-up action.
Establish and maintain security incident thresholds, including, at a minimum, differentiating
between an incident and an event. Examples can include: abnormal activity, security
vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when
Establish and maintain security incident thresholds, including, at a minimum, differentiating

between an incident and an event. Examples can include: abnormal activity, security
vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when
and resiliency of enterprise assets through identifying and exploiting weaknesses in controls
d technology), and simulating the objectives and actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size, complexity, and
maturity of the enterprise. Penetration testing program characteristics should include scope,
such as network, web application, API, hosted services, and physical premise controls;
frequency; limitations, such as acceptable hours, and excluded attack types; point of contact
information; remediation, such as how findings will be routed internally; and, retrospective
requirements.
Perform periodic external penetration tests based on program requirements, but no less than
annually. External penetration testing should include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires specialized skills
and experience and must be conducted by a qualified party. The testing may be clear box or
opaque box. See the Cloud Companion Guide for cloud-specific guidance.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and
prioritization.
Validate security measures after each penetration test. Enterprises should modify rulesets and
capabilities to detect the techniques used by testers.
Perform periodic internal penetration tests based on program requirements, but no less than
annually. The testing may be clear box or opaque box. See the Cloud Companion Guide for
cloud-specific guidance.
Control Control or Control
IG1 IG2 IG3 Relationship
Identifier Enhancement Name
x x x Subset CM-8 System Component Inventory
System Component Inventory |

x x x Superset CM-8(1) Updates During Installation and
Removal
x x x Subset PM-5 System Inventory

x x x Subset CM-8(3) Automated Unauthorized
Component Detection
x x Subset SI-4 System Monitoring

x x Subset CM-8(3) Automated Unauthorized
Component Detection

x Subset CM-8(3) Automated Unauthorized
Component Detection
x Subset SI-4 System Monitoring
x x x Subset CM-8 System Component Inventory
Least Functionality | Periodic

x x x Subset CM-7(1)
Review
x x x Superset MA-3 Maintenance Tools
Unsupported System
x x x Equivalent SA-22
Components
Least Functionality | Prevent

Program Execution
x x x Subset CM-8(3) Automated Unauthorized
Component Detection
x x x Subset CM-10 Software Usage Restrictions
x x x Subset CM-11 User-installed Software

x x Subset CM-8(3) Automated Unauthorized
Component Detection
Least Functionality | Authorized

x x Equivalent CM-7(5)
Software — Allow-by-exception
x x Superset CM-10 Software Usage Restrictions
x x Subset CM-7 Least Functionality

x x Superset CM-7(1)
Review
x Subset CM-7 Least Functionality

x Superset CM-7(1)
Review
Software, Firmware, and

x Superset SI-7
Information Integrity
Software, Firmware, and

x Superset SI-7(1) Information Integrity | Integrity
Checks
x x x Superset AU-11 Audit Record Retention
x x x Subset CM-12 Information Location
Information Management and

x x x Equivalent SI-12
Retention
x x x Superset CM-12 Information Location
System Inventory | Inventory of

x x x Superset PM-5(1) Personally Identifiable
Information
Information
Information
x x x Subset RA-2 Security Categorization
x x x Subset AC-3 Access Enforcement
x x x Subset AC-5 Separation of Duties
x x x Subset AC-6 Least Privilege
x x x Superset MP-2 Media Access
x x x Subset AU-11 Audit Record Retention

Information Management and
x x x Subset SI-12
Retention
x x x Subset MP-6 Media Sanitization
x x x Subset SR-12 Component Disposal
Protection of Information at
x x x Subset SC-28
Rest
x x Subset RA-2 Security Categorization
x x Subset AC-4 Information Flow Enforcement
x x Subset CM-12 Information Location
x x Subset MP-5 Media Transport
x x Subset MP-7 Media Use
Remote Access | Protection of

x x Subset AC-17(2) Confidentiality and Integrity
Using Encryption
x x Subset IA-5 Authenticator Management

Authenticator Management |
x x Subset IA-5(1) Password-based
Authentication
Transmission Confidentiality
x x Subset SC-8
and Integrity
Transmission Confidentiality
x x Subset SC-8(1) and Integrity | Cryptographic
Protection
x x Superset IA-5(1) Password-based
Authentication
x x Equivalent SC-28
Rest
x x Superset SC-28(1)
Rest | Cryptographic Protection
x x
x Subset CA-7 Continuous Monitoring
x Subset CM-12 Information Location
Information Location |
x Subset CM-12(1) Automated Tools to Support
Information Location
Information in Shared System

x Subset SC-4
Resources
Least Privilege | Log Use of

x Subset AC-6(9)
Privileged Functions
x Subset AU-2 Event Logging
x Subset AU-12 Audit Record Generation

x x x Equivalent CM-1 Policy and Procedures
x x x Superset CM-2 Baseline Configuration
x x x Superset CM-6 Configuration Settings
x x x Subset CM-7 Least Functionality

x x x Superset CM-7(1)
Review
Configuration Management
x x x Equivalent CM-9
Plan
System Development Life

x x x Superset SA-3
Cycle
Security and Privacy

x x x Superset SA-8
Engineering Principles
Developer Configuration
x x x Superset SA-10
Management
x x x Superset AC-18 Wireless Access
Wireless Access |
x x x Superset AC-18(1)
Authentication and Encryption
Wireless Access | Disable

Wireless Networking
x x x Superset CM-2 Baseline Configuration
x x x Superset CM-6 Configuration Settings
x x x Subset CM-7 Least Functionality

Review
Configuration Management
x x x Equivalent CM-9
Plan
Account Management |
x x x Subset AC-2(5)
Inactivity Logout
x x x Equivalent AC-11 Device Lock
Device Lock | Pattern-hiding

Displays
x x x Superset AC-12 Session Termination

x x x Subset CA-9 Internal System Connections
x x x Subset SC-7 Boundary Protection
Boundary Protection | Deny by

x x x Subset SC-7(5)
Default — Allow by Exception
x x x Subset SC-7 Boundary Protection
Boundary Protection | Deny by

x x x Subset SC-7(5)
Default — Allow by Exception
x x x Superset MA-4 Nonlocal Maintenance
x x x Subset IA-5 Authenticator Management
x x Subset CM-6 Configuration Settings
Secure Name/address
x x Subset SC-20 Resolution Service
(authoritative Source)
Secure Name/address
x x Subset SC-21 Resolution Service (recursive
or Caching Resolver)
Architecture and Provisioning
x x Subset SC-22 for Name/address Resolution
Service
x x Subset AC-7 Unsuccessful Logon Attempts
Access Control for Mobile

x x Subset AC-19
Devices

x x Subset AC-19
Devices
x x Subset AC-20 Use of External Systems

x Equivalent AC-19(5) Devices | Full Device or
Container-based Encryption
x Subset SC-39 Process Isolation

x x x Subset AC-2 Account Management
x x x Subset IA-5(1) Password-based
Authentication
Account Management | Disable

x x x Subset AC-2(3)
Accounts
Least Privilege | Non-privileged

x x x Superset AC-6(2) Access for Nonsecurity
Functions
Least Privilege | Privileged

Accounts
x x Subset AC-2 Account Management
x x Subset AC-2(1) Automated System Account
Management
x x x Subset IA-4 Identifier Management
x x x Subset IA-5 Authenticator Management
x x x Subset AC-1 Policy and Procedures

x x x Subset AC-2(1) Automated System Account
Management
x x x Subset AC-1 Policy and Procedures
x x x Subset AC-2(1) Automated System Account
Management
Identification and
Authentication (organizational
x x x Subset IA-2(1) Users) | Multi-factor
Authentication to Privileged
Accounts
Identification and
Authentication to Non-
privileged Accounts
x x x Subset AC-19
Devices
Identification and
Accounts
Identification and
Authentication to Non-
privileged Accounts
Identification and
x x x Equivalent IA-2(1) Users) | Multi-factor
Accounts
x x Subset CM-8 System Component Inventory
Identification and
Authentication (non-
x x Subset IA-8(2) organizational Users) |
Acceptance of External
Authenticators
Management
x x Subset AC-3 Access Enforcement
x Subset AC-2 Account Management
x Subset AC-5 Separation of Duties
x Subset AC-6 Least Privilege
Least Privilege | Authorize

x Superset AC-6(1)
Access to Security Functions
Least Privilege | Review of

x Subset AC-6(7)
User Privileges
Protection of Audit Information |

x Superset AU-9(4) Access by Subset of Privileged
Users
Vulnerability Monitoring and
x x x Superset RA-5
Scanning

x x x Superset RA-5
Scanning

x x x Subset RA-5
Scanning
x x x Subset RA-7 Risk Response
x x x Subset SI-2 Flaw Remediation
Flaw Remediation | Automated

x x x Subset SI-2(2)
Flaw Remediation Status
x x x Subset RA-5
Scanning
x x x Subset RA-7 Risk Response
x x x Subset SI-2 Flaw Remediation
Flaw Remediation | Automated

x x x Subset SI-2(2)
Flaw Remediation Status

x x Subset RA-5
Scanning

x x Subset RA-5
Scanning

x x Subset RA-5
Scanning

x x Superset RA-5(2) Scanning | Update
Vulnerabilities to Be Scanned
x x Subset RA-7 Risk Response

x x Subset SI-2 Flaw Remediation
x x x Equivalent AU-1 Policy and Procedures
x x x Superset AU-2 Event Logging
x x x Equivalent AU-2 Event Logging
Audit Record Reduction and

x x x Subset AU-7
Report Generation
x x x Equivalent AU-12 Audit Record Generation
x x x Equivalent AU-4 Audit Log Storage Capacity
x x Subset AU-8 Time Stamps
x x Equivalent AU-3 Content of Audit Records
Content of Audit Records |

x x Subset AU-3(1)
Additional Audit Information

x x Subset AU-7
Report Generation
x x Subset AU-12 Audit Record Generation

x x Subset AU-2 Event Logging
Audit Record Review, Analysis,

x x Subset AU-6(3) and Reporting | Correlate Audit
Record Repositories
x x Equivalent AU-11 Audit Record Retention

x x Equivalent AU-6
and Reporting
x x Subset AU-6(1) and Reporting | Automated
Process Integration
x x AU-7(1) Report Generation | Automatic
Processing
x Subset AU-2 Event Logging
x x x Subset CM-10 Software Usage Restrictions
x x x Subset SC-18 Mobile Code
x x x Superset SI-8 Spam Protection
Boundary Protection | Access

x x Subset SC-7(3)
Points
Boundary Protection | External

x x Subset SC-7(4)
Telecommunications Services
x x Subset CM-10 Software Usage Restrictions
x x Subset CM-11 User-installed Software
x x Subset SC-18 Mobile Code

x x Subset SC-7 Boundary Protection
x x Subset SI-3 Malicious Code Protection
x x Subset SI-8 Spam Protection
x Subset SI-3 Malicious Code Protection
x Subset SI-8 Spam Protection
x x x Subset SI-3 Malicious Code Protection
x x x Subset SI-3 Malicious Code Protection

x x x Subset MP-7 Media Use
x x Subset MP-7 Media Use
x x Superset SI-16 Memory Protection

x x x Subset CP-2 Contingency Plan
System Recovery and

x x x Subset CP-10
Reconstitution
x x x Subset CP-9 System Backup
System Recovery and

x x x Subset CP-10
Reconstitution
x x x Subset CP-9 System Backup
System Backup | Cryptographic

x x x Subset CP-9(8)
Protection
x x x Subset SC-28
Rest
x x x Superset CP-6 Alternate Storage Site
Alternate Storage Site |

x x x Superset CP-6(1)
Separation from Primary Site
x x Subset CP-4 Contingency Plan Testing
System Backup | Testing for

x x Subset CP-9(1)
Reliability and Integrity
x x x Subset CM-8(1) Updates During Installation and
Removal

x x Subset PL-8
Architectures
x x Subset PM-7 Enterprise Architecture

x x Subset SA-8
x x Superset CM-7 Least Functionality
x x Superset CP-6 Alternate Storage Site
x x Superset CP-7 Alternate Processing Site
x x Superset SC-7 Boundary Protection
x x Subset SC-23 Session Authenticity

x x Subset PL-8
Architectures
x x Subset PM-5 System Inventory
Management
x x Subset AC-18 Wireless Access
x x Subset SC-23 Session Authenticity
x x Subset AC-17 Remote Access
Remote Access | Monitoring

x x Subset AC-17(1)
and Control
Remote Access | Managed

x x Subset AC-17(3)
Access Control Points

x x Subset AU-6(1) and Reporting | Automated
Process Integration

x x Subset AU-7
Report Generation
Incident Handling | Automated
x x Superset IR-4(1)
Incident Handling Processes
System Monitoring | Automated

x x Superset SI-4(2) Tools and Mechanisms for
Real-time Analysis
System Monitoring | System-

x x Subset SI-4(5)
generated Alerts
x x
System Monitoring | Inbound

x x Subset SI-4(4) and Outbound
Communications Traffic
x x Subset CA-9 Internal System Connections
x x Subset AC-17 Remote Access
Remote Access | Monitoring

x x Subset AC-17(1)
and Control


x x Superset SI-4(4) and Outbound

x Subset SI-4(4) and Outbound
x Subset CM-6 Configuration Settings
x Subset CM-7 Least Functionality
Boundary Protection | Route

x Superset SC-7(8) Traffic to Authenticated Proxy
Servers
x x x Subset AT-1 Policy and Procedures

Literacy Training and
x x x Subset AT-2
Awareness
x x x Subset PM-13 Security and Privacy Workforce

x x x Equivalent AT-2(3) Awareness | Social
Engineering and Mining
x x x Subset AT-2
Awareness

x x x Subset AT-2
Awareness
x x x Subset AC-22 Publicly Accessible Content

x x x Subset AT-2
Awareness

x x x Subset AT-2
Awareness

x x x Subset AT-2
Awareness
x x Equivalent AT-3 Role-based Training
Supply Chain Risk

Management Strategy |
x x x Superset PM-30(1)
Suppliers of Critical or Mission-
essential Items
x x Superset AC-21 Information Sharing
x x Subset SA-9 External System Services
External System Services |

x x Subset SA-9(2) Identification of Functions,
Ports, Protocols, and Services
Supply Chain Risk

x x Subset PM-30
Management Strategy
x x Subset SR-1 Policy and Procedures
x x Subset AC-20 Use of External Systems
Supplier Assessments and

x x Superset SR-6
Reviews
Use of External Systems |

x x Subset AC-20(1)
Limits on Authorized Use
x x Subset AC-20(2) Portable Storage Devices —
Restricted Use
Protecting Controlled
x x Subset PM-17 Unclassified Information on
External Systems
Acquisition Strategies, Tools,

x x Subset SR-5
and Methods
x x Subset SA-4 Acquisition Process
Acquisition Strategies, Tools,

x x Subset SR-5
and Methods

x x Subset SR-6
Reviews

x Subset AC-20(1)
Limits on Authorized Use

x Subset SR-6
Reviews
System Development Life

x x Subset SA-3
Cycle
Development Process,
x x Subset SA-15
Standards, and Tools
x x Superset CA-5 Plan of Action and Milestones
x x Subset RA-1 Policy and Procedures

x x Subset RA-5
Scanning
x x Subset RA-7 Risk Response
x x Subset SI-2 Flaw Remediation
x x Subset CM-8 System Component Inventory
x x Subset SR-11 Component Authenticity

x x Subset RA-5
Scanning
x x

x x Subset SA-8

x x Subset PL-8
Architectures

x x Subset SA-8
x x Subset SA-15
Developer Testing and
x Subset SA-11
Evaluation
x Subset SA-15
x x x Subset IR-1 Policy and Procedures
x x x Superset IR-7 Incident Response Assistance

x x x Subset IR-8 Incident Response Plan
x x x Subset IR-6 Incident Reporting
x x x Subset IR-6 Incident Reporting
Incident Reporting | Supply

x x x Superset IR-6(3)
Chain Coordination
x x x Subset IR-5 Incident Monitoring
x x Subset IR-6 Incident Reporting
Incident Reporting | Automated

Reporting
x x Subset IR-8 Incident Response Plan
x x Subset IR-1 Policy and Procedures

Reporting
x x Superset IR-6 Incident Reporting

Reporting
x x Subset IR-1 Policy and Procedures
x x Superset CP-8 Telecommunications Services

x x Equivalent IR-3 Incident Response Testing
x x Subset IR-4 Incident Handling
x Subset IR-6 Incident Reporting
x Subset IR-8 Incident Response Plan
x x
x x
x x
x
Control Text
a. Develop and document an inventory of system components that:

1. Accurately reflects the system
2. Includes all components within the system
Update the inventory of system components as part of component installations, removals, and system updates.
Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems.
(a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Ass
organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and
(b) Take the following actions when unauthorized components are detected: [Selection (one or more): disable netwo
components; isolate the components; notify [Assignment: organization-defined personnel or roles]].
a. Monitor the system to detect:
2. Unauthorized local, network, and remote connections;
b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization
and methods];

and methods];

1. Accurately reflects the system;
2. Includes all components within the system;
(a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure func
protocols, software, and services; and
(b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within th
be unnecessary and/or nonsecure].
a. Approve, control, and monitor the use of system maintenance tools; and
b. Review previously approved system maintenance tools [Assignment: organization-defined frequency].
a. Replace system components when support for the components is no longer available from the developer, vendor
b. Provide the following options for alternative sources for continued support for unsupported components [Selection
house support; [Assignment: organization-defined support from external providers]].
Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies,
and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and cond
program usage].
a. Use software and associated documentation in accordance with contract agreements and copyright laws;
b. Track the use of software and associated documentation protected by quantity licenses to control copying and dis
c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for
distribution, display, performance, or reproduction of copyrighted work.
a. Establish [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods];
c. Monitor policy compliance [Assignment: organization-defined frequency].
(a) Identify [Assignment: organization-defined software programs authorized to execute on the system];
(b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the syst
(c) Review and update the list of authorized software programs [Assignment: organization-defined frequency].
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: orga
prohibited or restricted functions, system ports, protocols, software, and/or services].
a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and informa
organization-defined software, firmware, and information]; and
b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [A
organization-defined actions].
Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one
at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defin
Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to pr
after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirement
a. Identify and document the location of [Assignment: organization-defined information] and the specific system com
the information is processed and stored;
b. Identify and document the users who have access to the system and system components where the information i
stored; and
c. Document changes to the location (i.e., system or system components) where the information is processed and s
Manage and retain information within the system and information output from the system in accordance with applica
orders, directives, regulations, policies, standards, guidelines and operational requirements.
stored; and
Establish, maintain, and update [Assignment: organization-defined frequency] an inventory of all systems, applicatio
process personally identifiable information.
a. Categorize the system and information it processes, stores, and transmits;
b. Document the security categorization results, including supporting rationale, in the security plan for the system; an
c. Verify that the authorizing official or authorizing official designated representative reviews and approves the secur
decision.
Enforce approved authorizations for logical access to information and system resources in accordance with applicab
policies.
a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and
b. Define system access authorizations to support separation of duties.
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of
necessary to accomplish assigned organizational tasks.
Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organ
personnel or roles].
orders, directives, regulations, policies, standards, guidelines and operational requirements.
a. Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control,
using [Assignment: organization-defined sanitization techniques and procedures]; and
b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or class
information.
Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following
methods: [Assignment: organization-defined techniques and methods].
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organ
information at rest].
a. Categorize the system and information it processes, stores, and transmits;

b. Document the security categorization results, including supporting rationale, in the security plan for the system; an
c. Verify that the authorizing official or authorizing official designated representative reviews and approves the secur
decision.
Enforce approved authorizations for controlling the flow of information within the system and between connected sys
[Assignment: organization-defined information flow control policies].
stored; and
a. Protect and control [Assignment: organization-defined types of system media] during transport outside of controlle
[Assignment: organization-defined controls];
b. Maintain accountability for system media during transport outside of controlled areas;
c. Document activities associated with the transport of system media; and
d. Restrict the activities associated with the transport of system media to authorized personnel.
a. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined types of system media] on [Assignmen
defined systems or system components] using [Assignment: organization-defined controls];
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
g. Protecting authenticator content from unauthorized disclosure and modification;
(c) Transmit passwords only over cryptographically-protected channels;
Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.
Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; d
information] during transmission.
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following informati
[Assignment: organization-defined system components or media]: [Assignment: organization-defined information].
d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring stra
stored; and
Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment:
system components] to ensure controls are in place to protect organizational information and individual privacy.
Prevent unauthorized and unintended information transfer via shared system resources.
Log the execution of privileged functions.
c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (su
types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];
a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2
organization-defined system components];
b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by spe
the system; and
c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.
2. Procedures to facilitate the implementation of the configuration management policy and the associated configurat
controls;
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system;
a. Establish and document configuration settings for components employed within the system that reflect the most re
consistent with operational requirements using [Assignment: organization-defined common secure configurations];
b. Implement the configuration settings;
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities];
Develop, document, and implement a configuration management plan for the system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for ma
configuration of the configuration items;
c. Defines the configuration items for the system and places the configuration items under configuration managemen
d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
e. Protects the configuration management plan from unauthorized disclosure and modification.
a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle
information security and privacy considerations;
b. Define and document information security and privacy roles and responsibilities throughout the system developme
c. Identify individuals having information security and privacy roles and responsibilities; and
d. Integrate the organizational information security and privacy risk management process into system development l
Apply the following systems security and privacy engineering principles in the specification, design, development, im
modification of the system and system components: [Assignment: organization-defined systems security and privacy
principles].
Require the developer of the system, system component, or system service to:
a. Perform configuration management during system, component, or service [Selection (one or more): design; devel
implementation; operation; disposal];
b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items
management];
c. Implement only organization-approved changes to the system, component, or service;
d. Document approved changes to the system, component, or service and the potential security and privacy impacts
and
e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignme
defined personnel].
a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wir
b. Authorize each type of wireless access to the system prior to allowing such connections.
Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryptio
Disable, when not intended for use, wireless networking capabilities embedded within system components prior to is
deployment.
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system;
c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organiza
components] based on [Assignment: organization-defined operational requirements]; and
d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedur
Develop, document, and implement a configuration management plan for the system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for ma
configuration of the configuration items;
c. Defines the configuration items for the system and places the configuration items under configuration managemen
d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
e. Protects the configuration management plan from unauthorized disclosure and modification.
Require that users log out when [Assignment: organization-defined time period of expected inactivity or description o
a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organ
period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and
b. Retain the device lock until the user reestablishes access using established identification and authentication proce
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring
disconnect].
b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the n
information communicated;
a. Monitor and control communications at the external managed interfaces to the system and at key internal manage
the system;
b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separ
organizational networks; and
c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devi
accordance with an organizational security and privacy architecture.
Deny network communications traffic by default and allow network communications traffic by exception [Selection (o
managed interfaces; for [Assignment: organization-defined systems]].
the system;
Deny network communications traffic by default and allow network communications traffic by exception [Selection (o
managed interfaces; for [Assignment: organization-defined systems]].
a. Approve and monitor nonlocal maintenance and diagnostic activities;

b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and docu
security plan for the system;
c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;
d. Maintain records for nonlocal maintenance and diagnostic activities; and
e. Terminate session and network connections when nonlocal maintenance is completed.
e. Changing default authenticators prior to first use;
a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name re
system returns in response to external name/address resolution queries; and
b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution servic
verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical
Request and perform data origin authentication and data integrity verification on the name/address resolution respon
receives from authoritative sources.
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant a
internal and external role separation.
a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during
organization-defined time period]
a. Establish configuration requirements, connection requirements, and implementation guidance for organization-con
devices, to include when such devices are outside of controlled areas; and
b. Authorize the connection of mobile devices to organizational systems.
a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment
defined controls asserted to be implemented on external systems]], consistent with the trust relationships establishe
organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
1. Access the system from external systems; and
2. Process, store, or transmit organization-controlled information using external systems; or
b. Prohibit the use of [Assignment: organizationally-defined types of external systems].
Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of in
[Assignment: organization-defined mobile devices].
Maintain a separate execution domain for each executing system process.

a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
b. Assign account managers;
c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
d. Specify:
1. Authorized users of the system;
2. Group and role membership; and
3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each ac
e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined polic
prerequisites, and criteria];
g. Monitor the use of accounts;
h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
1. [Assignment: organization-defined time period] when accounts are no longer required;
2. [Assignment: organization-defined time period] when users are terminated or transferred; and
3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;
i. Authorize access to the system based on:
1. A valid access authorization;
2. Intended system usage; and
3. [Assignment: organization-defined attributes (as required)];
j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequ
k. Establish and implement a process for changing shared or group account authenticators (if deployed) when indivi
from the group; and
l. Align account management processes with personnel termination and transfer processes.
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and com
Disable accounts within [Assignment: organization-defined time period] when the accounts:
(a) Have expired;
(b) Are no longer associated with a user or individual;
(c) Are in violation of organizational policy; or
(d) Have been inactive for [Assignment: organization-defined time period].
Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions
information] use non-privileged accounts or roles, when accessing nonsecurity functions.
Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].

a. Define and document the types of accounts allowed and specifically prohibited for use within the system;
b. Assign account managers;
c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
d. Specify:
1. Authorized users of the system;
g. Monitor the use of accounts;
h. Notify account managers and [Assignment: organization-defined personnel or roles] within:
1. [Assignment: organization-defined time period] when accounts are no longer required;
2. [Assignment: organization-defined time period] when users are terminated or transferred; and
3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;
i. Authorize access to the system based on:
1. A valid access authorization;
2. Intended system usage; and
3. [Assignment: organization-defined attributes (as required)];
j. Review accounts for compliance with account management requirements [Assignment: organization-defined frequ
from the group; and
Support the management of system accounts using [Assignment: organization-defined automated mechanisms].
Manage system identifiers by:

a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group,
device identifier;
b. Selecting an identifier that identifies an individual, group, role, service, or device;
d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromis
authenticators, and for revoking authenticators;
f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or whe
organization-defined events] occur;
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] access control policy
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational
compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; a
2. Procedures to facilitate the implementation of the access control policy and the associated access controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissem
control policy and procedures; and
c. Review and update the current access control:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events
from the group; and
Implement multi-factor authentication for access to privileged accounts.
Implement multi-factor authentication for access to non-privileged accounts.
Implement multi-factor authentication for access to non-privileged accounts.

3. Does not include duplicate accounting of components or components assigned to any other system;
4. Is at the level of granularity deemed necessary for tracking and reporting; and
5. Includes the following information to achieve system component accountability: [Assignment: organization-defined
deemed necessary to achieve effective system component accountability]; and
b. Review and update the system component inventory [Assignment: organization-defined frequency].
(a) Accept only external authenticators that are NIST-compliant; and

(b) Document and maintain a list of accepted external authenticators.
Enforce approved authorizations for logical access to information and system resources in accordance with applicab
policies.
a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and
b. Define system access authorizations to support separation of duties.
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of
necessary to accomplish assigned organizational tasks.
Authorize access for [Assignment: organization-defined individuals or roles] to:

(a) [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
(b) [Assignment: organization-defined security-relevant information].
(a) Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-define
users] to validate the need for such privileges; and
(b) Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of p
roles].
a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequ
randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the sys
and reported;
b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate part
management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyze vulnerability scan reports and results from vulnerability monitoring;

d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an org
assessment of risk;
e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment:
personnel or roles] to help eliminate similar vulnerabilities in other systems; and
f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
and reported;
assessment of risk;
Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organization
c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of th
updates; and
Determine if system components have applicable security-relevant software and firmware updates installed using [A
organization-defined automated mechanisms] [Assignment: organization-defined frequency].
and reported;
assessment of risk;
updates; and
Determine if system components have applicable security-relevant software and firmware updates installed using [A
organization-defined automated mechanisms] [Assignment: organization-defined frequency].
and reported;
and reported;
and reported;
Update the system vulnerabilities to be scanned [Selection (one or more): [Assignment: organization-defined freque
scan; when new vulnerabilities are identified and reported].
a. Identify, report, and correct system flaws;
2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and acc
a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: org
event types that the system is capable of logging];
b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide
selection criteria for events to be logged;
Provide and implement an audit record reduction and report generation capability that:
a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations o
b. Does not alter the original content or time ordering of audit records.
Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requireme
a. Use internal system clocks to generate time stamps for audit records; and
b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measureme
Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the loca
of the time stamp.
Ensure that audit records contain information that establishes the following:
a. What type of event occurred;
b. When the event occurred;
c. Where the event occurred;
d. Source of the event;
e. Outcome of the event; and
f. Identity of any individuals, subjects, or objects/entities associated with the event.
Generate audit records containing the following additional information: [Assignment: organization-defined additional
d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fa
incidents; and
e. Review and update the event types selected for logging [Assignment: organization-defined frequency].
incidents; and
incidents; and
Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assign
defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity;
Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated
Provide and implement the capability to process, sort, and search audit records for events of interest based on the f
[Assignment: organization-defined fields within audit records].
incidents; and
a. Define acceptable and unacceptable mobile code and mobile code technologies; and
b. Authorize, monitor, and control the use of mobile code within the system.
a. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages;
b. Update spam protection mechanisms when new releases are available in accordance with organizational configur
policy and procedures.
Limit the number of external network connections to the system.
(h) Filter unauthorized control plane traffic from external networks.
a. Establish [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods];
c. Monitor policy compliance [Assignment: organization-defined frequency].
the system;
a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanism
and exit points to detect and eradicate malicious code;
b. Automatically update malicious code protection mechanisms as new releases are available in accordance with or
configuration management policy and procedures;
c. Configure malicious code protection mechanisms to:
1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files fr
at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or execute
with organizational policy; and
2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-define
alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and
d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential i
availability of the system.
defined systems or system components] using [Assignment: organization-defined controls]; and
b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable ow
defined systems or system components] using [Assignment: organization-defined controls]; and
b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable ow
Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: org
controls].

1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: or
monitoring objectives]; and
and methods];
c. Invoke internal monitoring capabilities or deploy monitoring devices:
1. Strategically within the system to collect organization-determined essential information; and
2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Analyze detected events and anomalies;
e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and asse
organizations, or the Nation;
f. Obtain legal opinion regarding system monitoring activities; and
g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined p
[Selection (one or more): as needed; [Assignment: organization-defined frequency]].
a. Develop a contingency plan for the system that:
1. Identifies essential mission and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failu
5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemente
6. Addresses the sharing of contingency information; and
7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identifi
by role) and organizational elements];
c. Coordinate contingency planning activities with incident handling activities;
d. Review the contingency plan for the system [Assignment: organization-defined frequency];
e. Update the contingency plan to address changes to the organization, system, or environment of operation and pro
during contingency plan implementation, execution, or testing;
f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identifie
by role) and organizational elements];
g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingen
training; and
h. Protect the contingency plan from unauthorized disclosure and modification.
Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined
consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.
a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [A

organization-defined frequency consistent with recovery time and recovery point objectives];
Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined
consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.
d. Protect the confidentiality, integrity, and availability of backup information.
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organiza
information].
a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system
and
b. Ensure that the alternate storage site provides controls equivalent to that of the primary site.
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to
a. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests t
effectiveness of the plan and the readiness to execute the plan:
Test backup information [Assignment: organization-defined frequency] to verify media reliability and information inte
Update the inventory of system components as part of component installations, removals, and system updates.
a. Develop security and privacy architectures for the system that:
1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of
information;
2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize
individuals;
3. Describe how the architectures are integrated into and support the enterprise architecture; and
4. Describe any assumptions about, and dependencies on, external systems and services;
b. Review and update the architectures [Assignment: organization-defined frequency] to reflect changes in the enter
and
c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality a
organizational procedures, and procurements and acquisitions.
Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resultin
organizational operations and assets, individuals, other organizations, and the Nation.
principles].
a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system
and
b. Ensure that the alternate storage site provides controls equivalent to that of the primary site.
a. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [A
organization-defined system operations] for essential mission and business functions within [Assignment: organizati
period consistent with recovery time and recovery point objectives] when the primary processing capabilities are una
b. Make available at the alternate processing site, the equipment and supplies required to transfer and resume oper
contracts in place to support delivery to the site within the organization-defined time period for transfer and resumpti
c. Provide controls at the alternate processing site that are equivalent to those at the primary site.
the system;
Protect the authenticity of communications sessions.

information;
individuals;
and
Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems.
a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wir
b. Authorize each type of wireless access to the system prior to allowing such connections.
Protect the authenticity of communications sessions.
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance
remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections.
Employ automated mechanisms to monitor and control remote access methods.
Route remote accesses through authorized and managed network access control points.
Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated
Support the incident handling process using [Assignment: organization-defined automated mechanisms].
Employ automated tools and mechanisms to support near real-time analysis of events.
Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of com
compromise occur: [Assignment: organization-defined compromise indicators].

(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications
(b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignm
defined unusual or unauthorized activities or conditions].
b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the n
information communicated;
the system;
a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance
remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections.
Employ automated mechanisms to monitor and control remote access methods.

the system;

Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined exter

through authenticated proxy servers at managed interfaces.

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] awareness and trainin
c. Review and update the current awareness and training:
a. Provide security and privacy literacy training to system users (including managers, senior executives, and contrac
Establish a security and privacy workforce development and improvement program.
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social
a. Designate individuals authorized to make information publicly accessible;

b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
a. Provide role-based security and privacy training to personnel with the following roles and responsibilities:
Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.
a. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the info
and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion
b. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in makin
sharing and collaboration decisions.
a. Require that providers of external system services comply with organizational security and privacy requirements a
following controls: [Assignment: organization-defined controls]
Require providers of the following external system services to identify the functions, ports, protocols, and other servi
use of such services: [Assignment: organization-defined external system services].
a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisit
and disposal of systems, system components, and system services;
1. Implement the supply chain risk management strategy consistently across the organization; and
(a) Review and update the supply chain risk management strategy on [Assignment: organization-defined frequency]
address organizational changes.

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] supply chain risk man
compliance; and
2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply
management controls;
chain risk management policy and procedures; and
c. Review and update the current supply chain risk management:
a. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment
defined controls asserted to be implemented on external systems]], consistent with the trust relationships establishe
organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
1. Access the system from external systems; and
2. Process, store, or transmit organization-controlled information using external systems; or
b. Prohibit the use of [Assignment: organizationally-defined types of external systems].
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system co
service they provide [Assignment: organization-defined frequency].
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organ
information only after:
(a) Verification of the implementation of controls on the external system as specified in the organization’s security an
and security and privacy plans; or
(b) Retention of approved system connection or processing agreements with the organizational entity hosting the ex
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems us
organization-defined restrictions].
a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified informatio
stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, di
regulations, and standards; and
b. Review and update the policy and procedures [Assignment: organization-defined frequency].
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and
chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods].
a. Security and privacy functional requirements;

b. Strength of mechanism requirements;
c. Security and privacy assurance requirements;
d. Controls needed to satisfy the security and privacy requirements.
e. Security and privacy documentation requirements;
f. Requirements for protecting security and privacy documentation;
g. Description of the system development environment and environment in which the system is intended to operate;
h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chai
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and
chain risks: [Assignment: organization-defined acquisition strategies, contract tools, and procurement methods].
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organ
information only after:
(a) Verification of the implementation of controls on the external system as specified in the organization’s security an
and security and privacy plans; or
(b) Retention of approved system connection or processing agreements with the organizational entity hosting the ex
and methods];
c. Invoke internal monitoring capabilities or deploy monitoring devices:
1. Strategically within the system to collect organization-determined essential information; and
2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
f. Obtain legal opinion regarding system monitoring activities; and
g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined p
[Selection (one or more): as needed; [Assignment: organization-defined frequency]].
a. Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle
information security and privacy considerations;
b. Define and document information security and privacy roles and responsibilities throughout the system developme
c. Identify individuals having information security and privacy roles and responsibilities; and
d. Integrate the organizational information security and privacy risk management process into system development l
a. Require the developer of the system, system component, or system service to follow a documented development
1. Explicitly addresses security and privacy requirements;
2. Identifies the standards and tools used in the development process;
3. Documents the specific tool options and tool configurations used in the development process; and
4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and
b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization
to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy
security and privacy requirements: [Assignment: organization-defined security and privacy requirements].
a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organ
weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabi
and
b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings
assessments, independent audits or reviews, and continuous monitoring activities.

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] risk assessment polic
compliance; and
2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment con
assessment policy and procedures; and
c. Review and update the current risk assessment:
and reported;
assessment of risk;
a. Identify, report, and correct system flaws;

b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before
updates; and
d. Incorporate flaw remediation into the organizational configuration management process.

3. Does not include duplicate accounting of components or components assigned to any other system;
4. Is at the level of granularity deemed necessary for tracking and reporting; and
5. Includes the following information to achieve system component accountability: [Assignment: organization-defined
deemed necessary to achieve effective system component accountability]; and
b. Review and update the system component inventory [Assignment: organization-defined frequency].
a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent coun
from entering the system; and
b. Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignmen
defined external reporting organizations]; [Assignment: organization-defined personnel or roles]].
and reported;
assessment of risk;
principles].

information;
individuals;
and
principles].
Require the developer of the system, system component, or system service, at all post-design stages of the system
cycle, to:
a. Develop and implement a plan for ongoing security and privacy control assessments;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organizati
frequency] at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during testing and evaluation.
incident response policy and procedures; and
Provide an incident response support resource, integral to the organizational incident response capability, that offers
assistance to users of the system for the handling and reporting of incidents.
10. Explicitly designates responsibility for incident response to [Assignment: organization-defined entities, personnel
b. Distribute copies of the incident response plan to [Assignment: organization-defined incident response personnel
and/or by role) and organizational elements];
a. Require personnel to report suspected incidents to the organizational incident response capability within [Assignm
defined time period]; and
b. Report incident information to [Assignment: organization-defined authorities].
Provide incident information to the provider of the product or service and other organizations involved in the supply c
governance for systems or system components related to the incident.
Track and document incidents.
Report incidents using [Assignment: organization-defined automated mechanisms].

a. Develop an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
2. Describes the structure and organization of the incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
5. Defines reportable incidents;
6. Provides metrics for measuring the incident response capability within the organization;
7. Defines the resources and management support needed to effectively maintain and mature an incident response
8. Addresses the sharing of incident information;
9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-de
and
c. Update the incident response plan to address system and organizational changes or problems encountered durin
implementation, execution, or testing;
d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel
and/or by role) and organizational elements]; and
e. Protect the incident response plan from unauthorized disclosure and modification.
c. Review and update the current incident response:

incident response policy and procedures; and
Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assig
organization-defined system operations] for essential mission and business functions within [Assignment: organizati
period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processin
a. Develop an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability;
3. Provides a high-level approach for how the incident response capability fits into the overall organization;
4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;
8. Addresses the sharing of incident information;
9. Is reviewed and approved by [Assignment: organization-defined personnel or roles] [Assignment: organization-de
and
c. Update the incident response plan to address system and organizational changes or problems encountered durin
d. Communicate incident response plan changes to [Assignment: organization-defined incident response personnel
and/or by role) and organizational elements]; and
e. Protect the incident response plan from unauthorized disclosure and modification.
Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequenc
following tests: [Assignment: organization-defined tests].
c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training,
implement the resulting changes accordingly; and

Moderate Baseline
N/A - Deployed organiation-wide
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x

x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
The following are Controls from NIST SP 800-53 MODERATE baseline that are NOT mapped to CIS Controls
Control
Control (or Control Enhancement) Name
Identifier
Account Management | Automated Temporary and
AC-2(2)
Emergency Account Management
AC-2(4) Account Management | Automated Audit Actions
Account Management | Disable Accounts for High-risk
AC-2(13)
Individuals
Least Privilege | Prohibit Non-privileged Users from
AC-6(10)
Executing Privileged Functions
AC-12 Session Termination
AC-17(4) Remote Access | Privileged Commands and Access
CA-2(1) Control Assessments | Independent Assessors

CA-7(1) Continuous Monitoring | Independent Assessment
Baseline Configuration | Automation Support for
CM-2(2)
Accuracy and Currency
Baseline Configuration | Retention of Previous
CM-2(3)
Configurations
Baseline Configuration | Configure Systems and

CM-2(7)
Components for High-risk Areas
CM-3 Configuration Change Control
Configuration Change Control | Testing, Validation, and

CM-3(2)
Documentation of Changes
Configuration Change Control | Security and Privacy
CM-3(4)
Representatives
CP-2(1) Contingency Plan | Coordinate with Related Plans
Contingency Plan | Resume Mission and Business
CP-2(3)
Functions
CP-2(8) Contingency Plan | Identify Critical Assets
Contingency Plan Testing | Coordinate with Related
CP-4(1)
Plans
CP-6(3) Alternate Storage Site | Accessibility
CP-7(1) Alternate Processing Site | Separation from Primary Site
CP-7(2) Alternate Processing Site | Accessibility
CP-7(3) Alternate Processing Site | Priority of Service
Telecommunications Services | Priority of Service

CP-8(1)
Provisions
CP-8(2) Telecommunications Services | Single Points of Failure
System Recovery and Reconstitution | Transaction

CP-10(2)
Recovery
IA-3 Device Identification and Authentication
IA-4(4) Identifier Management | Identify User Status
Authenticator Management | Public Key-based

IA-5(2)
Authentication
Authenticator Management | Protection of

IA-5(6)
Authenticators
IA-12 Identity Proofing
IA-12(2) Identity Proofing | Identity Evidence

Identity Proofing | Identity Evidence Validation and
IA-12(3)
Verification
IA-12(5) Identity Proofing | Address Confirmation
Incident Response Testing | Coordination with Related

IR-3(2)
Plans
Incident Response Assistance | Automation Support for
IR-7(1)
Availability of Information and Support
MA-3(1) Maintenance Tools | Inspect Tools
MA-3(2) Maintenance Tools | Inspect Media
MA-3(3) Maintenance Tools | Prevent Unauthorized Removal
MA-6 Timely Maintenance
MP-3 Media Marking
MP-4 Media Storage
PE-4 Access Control for Transmission
PE-5 Access Control for Output Devices
Monitoring Physical Access | Intrusion Alarms and

PE-6(1)
Surveillance Equipment
PE-9 Power Equipment and Cabling
PE-10 Emergency Shutoff
PE-11 Emergency Power
Fire Protection | Detection Systems — Automatic

PE-13(1)
Activation and Notification
PE-17 Alternate Work Site

PM-1 Information Security Program Plan
PM-2 Information Security Program Leadership Role
PM-3 Information Security and Privacy Resources
PM-4 Plan of Action and Milestones Process
PM-6 Measures of Performance
PM-7(1) Enterprise Architecture | Offloading
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Authorization Process

PM-11 Mission and Business Process Definition
PM-12 Insider Threat Program
PM-14 Testing, Training, and Monitoring
PM-15 Security and Privacy Groups and Associations
PM-16 Threat Awareness Program
Threat Awareness Program | Automated Means for

PM-16(1)
Sharing Threat Intelligence
PM-18 Privacy Program Plan
PM-19 Privacy Program Leadership Role
PM-20 Dissemination of Privacy Program Information

Dissemination of Privacy Program Information | Privacy
PM-20(1)
Policies on Websites, Applications, and Digital Services
PM-21 Accounting of Disclosures
PM-22 Personally Identifiable Information Quality Management
PM-23 Data Governance Body
PM-24 Data Integrity Board
Minimization of Personally Identifiable Information Used

PM-25
in Testing, Training, and Research
PM-26 Complaint Management

PM-27 Privacy Reporting
PM-28 Risk Framing
PM-29 Risk Management Program Leadership Roles
PM-31 Continuous Monitoring Strategy
PM-32 Purposing
PT-1 Policy and Procedures
PT-2 Authority to Process Personally Identifiable Information

Authority to Process Personally Identifiable Information |
PT-2(1)
Data Tagging
Authority to Process Personally Identifiable Information |
PT-2(2)
Automation
PT-3 Personally Identifiable Information Processing Purposes
Personally Identifiable Information Processing Purposes

PT-3(1)
| Data Tagging
Personally Identifiable Information Processing Purposes
PT-3(2)
| Automation
PT-4 Consent
PT-4(1) Consent | Tailored Consent
PT-4(2) Consent | Just-in-time Consent
PT-4(3) Consent | Revocation
PT-5 Privacy Notice
PT-5(1) Privacy Notice | Just-in-time Notice
PT-5(2) Privacy Notice | Privacy Act Statements
PT-6 System of Records Notice
PT-6(1) System of Records Notice | Routine Uses

PT-6(2) System of Records Notice | Exemption Rules
Specific Categories of Personally Identifiable

PT-7
Information

PT-7(1)
Information | Social Security Numbers

PT-7(2)
Information | First Amendment Information
PT-8 Computer Matching Requirements
Vulnerability Monitoring and Scanning | Privileged

RA-5(5)
Access
RA-9 Criticality Analysis
SA-4(1) Acquisition Process | Functional Properties of Controls
Acquisition Process | Design and Implementation

SA-4(2)
Information for Controls
Acquisition Process | Functions, Ports, Protocols, and

SA-4(9)
Services in Use
SA-11 Developer Testing and Evaluation

SA-15 Development Process, Standards, and Tools
Development Process, Standards, and Tools | Criticality

SA-15(3)
Analysis
SC-2 Separation of System and User Functionality

SC-7(3) Boundary Protection | Access Points
Boundary Protection | External Telecommunications

SC-7(4)
Services
Boundary Protection | Split Tunneling for Remote

SC-7(7)
Devices
SC-10 Network Disconnect
SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SI-8(3) Spam Protection | Continuous Learning Capability
SI-10 Information Input Validation
SI-11 Error Handling
SI-16 Memory Protection

RATE baseline that are NOT mapped to CIS Controls v8
Control Text
Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defin
time period for each type of account].
Automatically audit account creation, modification, enabling, disabling, and removal actions.
Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment:
organization-defined significant risks].
Prevent non-privileged users from executing privileged functions.
Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring
session disconnect].
(a) Authorize the execution of privileged commands and access to security-relevant information via remote access o
in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs
and
(b) Document the rationale for remote access in the security plan for the system.
Employ independent assessors or assessment teams to conduct control assessments.
Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using
[Assignment: organization-defined automated mechanisms].
Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to
support rollback.
(a) Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined
configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
(b) Apply the following controls to the systems or components when the individuals return from travel: [Assignment:
organization-defined controls].
a. Determine and document the types of changes to the system that are configuration-controlled;
b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with
explicit consideration for security and privacy impact analyses;
c. Document configuration change decisions associated with the system;
d. Implement approved configuration-controlled changes to the system;
e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time perio
f. Monitor and review activities associated with configuration-controlled changes to the system; and
g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-
defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-
defined frequency]; when [Assignment: organization-defined configuration change conditions]].
Test, validate, and document changes to the system before finalizing the implementation of the changes.
Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment:
organization-defined configuration change control element].
Coordinate contingency plan development with organizational elements responsible for related plans.
Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization
defined time period] of contingency plan activation.
Identify critical system assets supporting [Selection: all; essential] mission and business functions.
Coordinate contingency plan testing with organizational elements responsible for related plans.
Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaste
and outline explicit mitigation actions.
Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce
susceptibility to the same threats.
Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disas
and outlines explicit mitigation actions.
Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availabili
requirements (including recovery time objectives).
(a) Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions
accordance with availability requirements (including recovery time objectives); and
(b) Request Telecommunications Service Priority for all telecommunications services used for national security
emergency preparedness if the primary and/or alternate telecommunications services are provided by a common
carrier.
Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary
telecommunications services.
Implement transaction recovery for systems that are transaction-based.
Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before
establishing a [Selection (one or more): local; remote; network] connection.
Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteris
identifying individual status].
(a) For public key-based authentication:

(1) Enforce authorized access to the corresponding private key; and
(2) Map the authenticated identity to the account of the individual or group; and
(b) When public key infrastructure (PKI) is used:
(1) Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including check
certificate status information; and
(2) Implement a local cache of revocation data to support path discovery and validation.
Protect authenticators commensurate with the security category of the information to which use of the authenticator
permits access.
a. Identity proof users that require accounts for logical access to systems based on appropriate identity assurance le
requirements as specified in applicable standards and guidelines;
b. Resolve user identities to a unique individual; and
c. Collect, validate, and verify identity evidence.
Require evidence of individual identification be presented to the registration authority.
Require that the presented identity evidence be validated and verified through [Assignment: organizational defined
methods of validation and verification].
Require that a [Selection: registration code; notice of proofing] be delivered through an out-of-band channel to verify
users address (physical or digital) of record.
Coordinate incident response testing with organizational elements responsible for related plans.
Increase the availability of incident response information and support using [Assignment: organization-defined
automated mechanisms].
Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.
Check media containing diagnostic and test programs for malicious code before the media are used in the system.
Prevent the removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing remova
the equipment from the facility.
Obtain maintenance support and/or spare parts for [Assignment: organization-defined system components] within
[Assignment: organization-defined time period] of failure.
a. Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if an
of the information; and
b. Exempt [Assignment: organization-defined types of system media] from marking if the media remain within
[Assignment: organization-defined controlled areas].
a. Physically control and securely store [Assignment: organization-defined types of digital and/or non-digital media]
within [Assignment: organization-defined controlled areas]; and
b. Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipme
techniques, and procedures.
Control physical access to [Assignment: organization-defined system distribution and transmission lines] within
organizational facilities using [Assignment: organization-defined security controls].
Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized
individuals from obtaining the output.
Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance
equipment.
Protect power equipment and power cabling for the system from damage and destruction.
a. Provide the capability of shutting off power to [Assignment: organization-defined system or individual system
components] in emergency situations;
b. Place emergency shutoff switches or devices in [Assignment: organization-defined location by system or system
component] to facilitate access for authorized personnel; and
c. Protect emergency power shutoff capability from unauthorized activation.
Provide an uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the system;
transition of the system to long-term alternate power] in the event of a primary power source loss.
Employ fire detection systems that activate automatically and notify [Assignment: organization-defined personnel or
roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
a. Determine and document the [Assignment: organization-defined alternate work sites] allowed for use by employee
b. Employ the following controls at alternate work sites: [Assignment: organization-defined controls];
c. Assess the effectiveness of controls at alternate work sites; and
d. Provide a means for employees to communicate with information security and privacy personnel in case of incide
a. Develop and disseminate an organization-wide information security program plan that:
1. Provides an overview of the requirements for the security program and a description of the security program
management controls and common controls in place or planned for meeting those requirements;
2. Includes the identification and assignment of roles, responsibilities, management commitment, coordination amon
organizational entities, and compliance;
3. Reflects the coordination among organizational entities responsible for information security; and
4. Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational
operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizatio
and the Nation;
b. Review and update the organization-wide information security program plan [Assignment: organization-defined
frequency] and following [Assignment: organization-defined events]; and
c. Protect the information security program plan from unauthorized disclosure and modification.
Appoint a senior agency information security officer with the mission and resources to coordinate, develop, impleme
and maintain an organization-wide information security program.
a. Include the resources needed to implement the information security and privacy programs in capital planning and
investment requests and document all exceptions to this requirement;
b. Prepare documentation required for addressing information security and privacy programs in capital planning and
investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standard
and
c. Make available for expenditure, the planned information security and privacy resources.
a. Implement a process to ensure that plans of action and milestones for the information security, privacy, and supp
chain risk management programs and associated organizational systems:
1. Are developed and maintained;
2. Document the remedial information security, privacy, and supply chain risk management actions to adequately
respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and
3. Are reported in accordance with established reporting requirements.
b. Review plans of action and milestones for consistency with the organizational risk management strategy and
organization-wide priorities for risk response actions.
Develop, monitor, and report on the results of information security and privacy measures of performance.
Offload [Assignment: organization-defined non-essential functions or services] to other systems, system component
or an external provider.
Address information security and privacy issues in the development, documentation, and updating of a critical
infrastructure and key resources protection plan.
a. Develops a comprehensive strategy to manage:

1. Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated w
the operation and use of organizational systems; and
2. Privacy risk to individuals resulting from the authorized processing of personally identifiable information;
b. Implement the risk management strategy consistently across the organization; and
c. Review and update the risk management strategy [Assignment: organization-defined frequency] or as required, to
address organizational changes.
a. Manage the security and privacy state of organizational systems and the environments in which those systems
operate through authorization processes;
b. Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process
and
c. Integrate the authorization processes into an organization-wide risk management program.
a. Define organizational mission and business processes with consideration for information security and privacy and
resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; an
b. Determine information protection and personally identifiable information processing needs arising from the defined
mission and business processes; and
c. Review and revise the mission and business processes [Assignment: organization-defined frequency].
Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, an
monitoring activities associated with organizational systems:
1. Are developed and maintained; and
2. Continue to be executed; and
b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy a
organization-wide priorities for risk response actions.
Establish and institutionalize contact with selected groups and associations within the security and privacy communi
a. To facilitate ongoing security and privacy education and training for organizational personnel;
b. To maintain currency with recommended security and privacy practices, techniques, and technologies; and
c. To share current security and privacy information, including threats, vulnerabilities, and incidents.
Implement a threat awareness program that includes a cross-organization information-sharing capability for threat
intelligence.
Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.
a. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s
privacy program, and:
1. Includes a description of the structure of the privacy program and the resources dedicated to the privacy program
2. Provides an overview of the requirements for the privacy program and a description of the privacy program
management controls and common controls in place or planned for meeting those requirements;
3. Includes the role of the senior agency official for privacy and the identification and assignment of roles of other
privacy officials and staff and their responsibilities;
4. Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;
5. Reflects coordination among organizational entities responsible for the different aspects of privacy; and
6. Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to
organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, ot
organizations, and the Nation; and
b. Update the plan [Assignment: organization-defined frequency] and to address changes in federal privacy laws and
policy and organizational changes and problems identified during plan implementation or privacy control assessmen
Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate,
develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide
privacy program.
Maintain a central resource webpage on the organization’s principal public website that serves as a central source o
information about the organization’s privacy program and that:
a. Ensures that the public has access to information about organizational privacy activities and can communicate wi
its senior agency official for privacy;
b. Ensures that organizational privacy practices and reports are publicly available; and
c. Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direc
questions to privacy offices regarding privacy practices.
Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, tha
(a) Are written in plain language and organized in a way that is easy to understand and navigate;
(b) Provide information needed by the public to make an informed decision about whether and how to interact with th
organization; and
(c) Are updated whenever the organization makes a substantive change to the practices it describes and includes a
time/date stamp to inform the public of the date of the most recent changes.
a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:
1. Date, nature, and purpose of each disclosure; and
2. Name and address, or other contact information of the individual or organization to which the disclosure was mad
b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained
five years after the disclosure is made, whichever is longer; and
c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relat
upon request.
Develop and document organization-wide policies and procedures for:

a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across
information life cycle;
b. Correcting or deleting inaccurate or outdated personally identifiable information;
c. Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate
entities; and
d. Appeals of adverse decisions on correction or deletion requests.
Establish a Data Governance Body consisting of [Assignment: organization-defined roles] with [Assignment:
organization-defined responsibilities].
Establish a Data Integrity Board to:
a. Review proposals to conduct or participate in a matching program; and
b. Conduct an annual review of all matching programs in which the agency has participated.
a. Develop, document, and implement policies and procedures that address the use of personally identifiable
information for internal testing, training, and research;
b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research
purposes;
c. Authorize the use of personally identifiable information when such information is required for internal testing, train
and research; and
d. Review and update policies and procedures [Assignment: organization-defined frequency].
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the
organizational security and privacy practices that includes:
a. Mechanisms that are easy to use and readily accessible by the public;
b. All information necessary for successfully filing complaints;
c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within [Assignment:
organization-defined time period];
d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within [Assignment: organizati
e. Response to complaints, concerns, or questions from individuals within [Assignment: organization-defined time
period].
a. Develop [Assignment: organization-defined privacy reports] and disseminate to:
1. [Assignment: organization-defined oversight bodies] to demonstrate accountability with statutory, regulatory, and
policy privacy mandates; and
2. [Assignment: organization-defined officials] and other personnel with responsibility for monitoring privacy program
compliance; and
b. Review and update privacy reports [Assignment: organization-defined frequency].
a. Identify and document:

1. Assumptions affecting risk assessments, risk responses, and risk monitoring;
2. Constraints affecting risk assessments, risk responses, and risk monitoring;
3. Priorities and trade-offs considered by the organization for managing risk; and
4. Organizational risk tolerance;
b. Distribute the results of risk framing activities to [Assignment: organization-defined personnel]; and
c. Review and update risk framing considerations [Assignment: organization-defined frequency].
a. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privac
management processes with strategic, operational, and budgetary planning processes; and
b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure
management of risk is consistent across the organization.
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that
include:
a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics];
b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined
frequencies] for assessment of control effectiveness;
c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;
d. Correlation and analysis of information generated by control assessments and monitoring;
e. Response actions to address results of the analysis of control assessment and monitoring information; and
f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personne
roles] [Assignment: organization-defined frequency].
Analyze [Assignment: organization-defined systems or systems components] supporting mission essential services
functions to ensure that the information resources are being used consistent with their intended purpose.

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] personally identifiable
information processing and transparency policy that:
entities, and compliance; and
2. Procedures to facilitate the implementation of the personally identifiable information processing and transparency
policy and the associated personally identifiable information processing and transparency controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and
dissemination of the personally identifiable information processing and transparency policy and procedures; and
c. Review and update the current personally identifiable information processing and transparency:
a. Determine and document the [Assignment: organization-defined authority] that permits the [Assignment:
organization-defined processing] of personally identifiable information; and
b. Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which
authorized.
Attach data tags containing [Assignment: organization-defined authorized processing] to [Assignment: organization-
defined elements of personally identifiable information].
Manage enforcement of the authorized processing of personally identifiable information using [Assignment:
organization-defined automated mechanisms].
a. Identify and document the [Assignment: organization-defined purpose(s)] for processing personally identifiable
information;
b. Describe the purpose(s) in the public privacy notices and policies of the organization;
c. Restrict the [Assignment: organization-defined processing] of personally identifiable information to only that which
compatible with the identified purpose(s); and
d. Monitor changes in processing personally identifiable information and implement [Assignment: organization-define
mechanisms] to ensure that any changes are made in accordance with [Assignment: organization-defined
requirements].
Attach data tags containing the following purposes to [Assignment: organization-defined elements of personally
identifiable information]: [Assignment: organization-defined processing purposes].
Track processing purposes of personally identifiable information using [Assignment: organization-defined automated
mechanisms].
Implement [Assignment: organization-defined tools or mechanisms] for individuals to consent to the processing of th
personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.
Provide [Assignment: organization-defined mechanisms] to allow individuals to tailor processing permissions to sele
elements of personally identifiable information.
Present [Assignment: organization-defined consent mechanisms] to individuals at [Assignment: organization-defined
frequency] and in conjunction with [Assignment: organization-defined personally identifiable information processing].
Implement [Assignment: organization-defined tools or mechanisms] for individuals to revoke consent to the processi
of their personally identifiable information.
Provide notice to individuals about the processing of personally identifiable information that:
a. Is available to individuals upon first interacting with an organization, and subsequently at [Assignment: organizatio
defined frequency];
b. Is clear and easy-to-understand, expressing information about personally identifiable information processing in pla
language;
c. Identifies the authority that authorizes the processing of personally identifiable information;
d. Identifies the purposes for which personally identifiable information is to be processed; and
e. Includes [Assignment: organization-defined information].
Present notice of personally identifiable information processing to individuals at a time and location where the individ
provides personally identifiable information or in conjunction with a data action, or [Assignment: organization-defined
frequency].
Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of
records, or provide Privacy Act statements on separate forms that can be retained by individuals.
For systems that process information that will be maintained in a Privacy Act system of records:
a. Draft system of records notices in accordance with OMB guidance and submit new and significantly modified syst
of records notices to the OMB and appropriate congressional committees for advance review;
b. Publish system of records notices in the Federal Register; and
c. Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.
Review all routine uses published in the system of records notice at [Assignment: organization-defined frequency] to
ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which th
information was collected.
Review all Privacy Act exemptions claimed for the system of records at [Assignment: organization-defined frequency
ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulati
and that they are accurately described in the system of records notice.
Apply [Assignment: organization-defined processing conditions] for specific categories of personally identifiable
information.
When a system processes Social Security numbers:
(a) Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to
their use as a personal identifier;
(b) Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to
disclose his or her Social Security number; and
(c) Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is
mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of
Prohibit the processing of information describing how any individual exercises rights guaranteed by the First
Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope o
authorized law enforcement activity.
When a system or organization processes information for the purpose of conducting a matching program:
a. Obtain approval from the Data Integrity Board to conduct the matching program;
b. Develop and enter into a computer matching agreement;
c. Publish a matching notice in the Federal Register;
d. Independently verify the information produced by the matching program before taking adverse action against an
individual, if required; and
e. Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an
individual.
Implement privileged access authorization to [Assignment: organization-defined system components] for [Assignmen
organization-defined vulnerability scanning activities].
Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-
defined systems, system components, or system services] at [Assignment: organization-defined decision points in th
system development life cycle].
Require the developer of the system, system component, or system service to provide a description of the functiona
properties of the controls to be implemented.
Require the developer of the system, system component, or system service to provide design and implementation
information for the controls that includes: [Selection (one or more): security-relevant external system interfaces; high
level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design and
implementation information]] at [Assignment: organization-defined level of detail].
Require the developer of the system, system component, or system service to identify the functions, ports, protocols
and services intended for organizational use.
Require the developer of the system, system component, or system service, at all post-design stages of the system
development life cycle, to:
a. Develop and implement a plan for ongoing security and privacy control assessments;
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organizati
defined frequency] at [Assignment: organization-defined depth and coverage];
c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;
d. Implement a verifiable flaw remediation process; and
e. Correct flaws identified during testing and evaluation.
process that:
defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and
employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security an
privacy requirements].
Require the developer of the system, system component, or system service to perform a criticality analysis:
(a) At the following decision points in the system development life cycle: [Assignment: organization-defined decision
points in the system development life cycle]; and
(b) At the following level of rigor: [Assignment: organization-defined breadth and depth of criticality analysis].
Separate user functionality, including user interface services, from system management functionality.
Limit the number of external network connections to the system.
(a) Implement a managed interface for each external telecommunication service;
(b) Establish a traffic flow policy for each managed interface;
(c) Protect the confidentiality and integrity of the information being transmitted across each interface;
(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of tha
need;
(e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions
that are no longer supported by an explicit mission or business need;
(f) Prevent unauthorized exchange of control plane traffic with external networks;
(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks
and
(h) Filter unauthorized control plane traffic from external networks.
Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely
provisioned using [Assignment: organization-defined safeguards].
Terminate the network connection associated with a communications session at the end of the session or after
[Assignment: organization-defined time period] of inactivity.
a. Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key
certificates from an approved service provider; and
b. Include only approved trust anchors in trust stores or certificate stores managed by the organization.
Implement spam protection mechanisms with a learning capability to more effectively identify legitimate
communications traffic.
Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the
system].
a. Generate error messages that provide information necessary for corrective actions without revealing information t
could be exploited; and
b. Reveal error messages only to [Assignment: organization-defined personnel or roles].
Implement the following controls to protect the system memory from unauthorized code execution: [Assignment:
organization-defined controls].
The following are Controls from NIST SP 800-53 LOW baseline that are NOT mapped to CIS Controls v8
NIST Control Identifier Control Name
AC-8 System Use Notification
AC-14 Permitted Actions Without Identification or Authentication

AT-2(2) Literacy Training and Awareness | Insider Threat
AT-4 Training Records
AU-5 Response to Audit Logging Process Failures
AU-9 Protection of Audit Information
AU-11 Audit Record Retention
CA-1 Policy and Procedures

CA-2 Control Assessments
CA-3 Information Exchange
CA-5 Plan of Action and Milestones
CA-6 Authorization
CA-7(4) Continuous Monitoring | Risk Monitoring

CM-4 Impact Analyses
CM-5 Access Restrictions for Change
CP-1 Policy and Procedures

CP-2 Contingency Plan
CP-3 Contingency Training
IA-1 Policy and Procedures

IA-2 Identification and Authentication (organizational Users)
IA-2(8) Identification and Authentication (organizational Users) | Access to Acc
IA-2(12) Identification and Authentication (organizational Users) | Acceptance of
IA-6 Authentication Feedback
IA-7 Cryptographic Module Authentication

IA-8 Identification and Authentication (non-organizational Users)
IA-8(1) Identification and Authentication (non-organizational Users) | Acceptanc
IA-8(4) Identification and Authentication (non-organizational Users) | Use of Defi
IA-11 Re-authentication
IR-2 Incident Response Training
MA-1 Policy and Procedures
MA-2 Controlled Maintenance
MA-5 Maintenance Personnel
MP-1 Policy and Procedures

PE-1 Policy and Procedures
PE-2 Physical Access Authorizations
PE-3 Physical Access Control
PE-6 Monitoring Physical Access
PE-8 Visitor Access Records
PE-12 Emergency Lighting

PE-13 Fire Protection
PE-14 Environmental Controls
PE-15 Water Damage Protection
PE-16 Delivery and Removal

PL-1 Policy and Procedures
PL-2 System Security and Privacy Plans
PL-4 Rules of Behavior
PL-4(1) Rules of Behavior | Social Media and External Site/application Usage Res
PL-10 Baseline Selection
PL-11 Baseline Tailoring
PS-1 Policy and Procedures
PS-2 Position Risk Designation
PS-3 Personnel Screening
PS-4 Personnel Termination
PS-5 Personnel Transfer
PS-6 Access Agreements
PS-7 External Personnel Security
PS-8 Personnel Sanctions

PS-9 Position Descriptions
RA-1 Policy and Procedures
RA-3 Risk Assessment
RA-3(1) Risk Assessment | Supply Chain Risk Assessment

RA-5(11) Vulnerability Monitoring and Scanning | Public Disclosure Program
SA-1 Policy and Procedures
SA-2 Allocation of Resources
SA-4(10) Acquisition Process | Use of Approved PIV Products

SA-5 System Documentation
SC-1 Policy and Procedures
SC-5 Denial-of-service Protection
SC-12 Cryptographic Key Establishment and Management
SC-13 Cryptographic Protection
SC-15 Collaborative Computing Devices and Applications

SC-39 Process Isolation
SI-1 Policy and Procedures

SI-5 Security Alerts, Advisories, and Directives
SI-12 Information Management and Retention
SR-1 Policy and Procedures
SR-2 Supply Chain Risk Management Plan
SR-2(1) Supply Chain Risk Management Plan | Establish SCRM Team
SR-3 Supply Chain Controls and Processes
SR-8 Notification Agreements
SR-10 Inspection of Systems or Components
SR-11 Component Authenticity

SR-11(1) Component Authenticity | Anti-counterfeit Training
SR-11(2) Component Authenticity | Configuration Control for Component Service

ed to CIS Controls v8
NIST Control Text

a. Display [Assignment: organization-defined system use notification message or banner] to users before granting a
security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and gu
1. Users are accessing a U.S. Government system;
2. System usage may be monitored, recorded, and subject to audit;
3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
4. Use of the system indicates consent to monitoring and recording;
b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take e
system; and
c. For publicly accessible systems:
1. Display system use information [Assignment: organization-defined conditions], before granting further access to th
2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations f
activities; and
3. Include a description of the authorized uses of the system.
a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identificatio
mission and business functions; and
b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identifica
Provide literacy training on recognizing and reporting potential indicators of insider threat.
a. Document and monitor information security and privacy training activities, including security and privacy awarenes
privacy training; and
b. Retain individual training records for [Assignment: organization-defined time period].
a. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]
b. Take the following additional actions: [Assignment: organization-defined additional actions].
a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, o
incidents and to meet regulatory and organizational information retention requirements.

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] assessment, authoriz
2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the assoc
controls;
monitoring policy and procedures; and
c. Review and update the current assessment, authorization, and monitoring:
a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;
b. Develop a control assessment plan that describes the scope of the assessment including:
1. Controls and control enhancements under assessment;
2. Assessment procedures to be used to determine control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representa
d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency]
implemented correctly, operating as intended, and producing the desired outcome with respect to meeting establishe
e. Produce a control assessment report that document the results of the assessment; and
f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].
a. Approve and manage the exchange of information between the system and other systems using [Selection (one o
information exchange security agreements; memoranda of understanding or agreement; service level agreements; u
[Assignment: organization-defined type of agreement]];
b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements,
the impact level of the information communicated; and
c. Review and update the agreements [Assignment: organization-defined frequency].
a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organ
during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
b. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings
reviews, and continuous monitoring activities.
a. Assign a senior official as the authorizing official for the system;

b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational s
c. Ensure that the authorizing official for the system, before commencing operations:
1. Accepts the use of common controls inherited by the system; and
2. Authorizes the system to operate;
d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by org
e. Update the authorizations [Assignment: organization-defined frequency].
Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
(a) Effectiveness monitoring;
(b) Compliance monitoring; and
(c) Change monitoring.
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the sys

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning
2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency pla
procedures; and
c. Review and update the current contingency planning:
a. Develop a contingency plan for the system that:
1. Identifies essential mission and business functions and associated contingency requirements;
2. Provides recovery objectives, restoration priorities, and metrics;
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failu
5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemente
6. Addresses the sharing of contingency information; and
7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identifi
elements];
c. Coordinate contingency planning activities with incident handling activities;
d. Review the contingency plan for the system [Assignment: organization-defined frequency];
e. Update the contingency plan to address changes to the organization, system, or environment of operation and pro
f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identifie
elements];
g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingen
h. Protect the contingency plan from unauthorized disclosure and modification.
a. Provide contingency training to system users consistent with assigned roles and responsibilities:
1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
2. When required by system changes; and
3. [Assignment: organization-defined frequency] thereafter; and
b. Review and update contingency training content [Assignment: organization-defined frequency] and following [Ass

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] identification and auth
2. Procedures to facilitate the implementation of the identification and authentication policy and the associated ident
and procedures; and
c. Review and update the current identification and authentication:
Uniquely identify and authenticate organizational users and associate that unique identification with processes actin
Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; n
Accept and
Obscure electronically
feedback verify Personal
of authentication Identityduring
information Verification-compliant credentials.
the authentication process to protect the information from po
individuals.
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws,
standards, and guidelines for such authentication.
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational use
Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.
Conform to the following profiles for identity management [Assignment: organization-defined identity management p
Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-au
a. Provide incident response training to system users consistent with assigned roles and responsibilities:
1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or a
2. When required by system changes; and
3. [Assignment: organization-defined frequency] thereafter; and
b. Review and update incident response training content [Assignment: organization-defined frequency] and following

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] maintenance policy th
2. Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;
and
c. Review and update the current maintenance:
a. Schedule, document, and review records of maintenance, repair, and replacement on system components in acco
and/or organizational requirements;
b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system o
removed to another location;
c. Require that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the system or
for off-site maintenance, repair, or replacement;
d. Sanitize equipment to remove the following information from associated media prior to removal from organizationa
replacement: [Assignment: organization-defined information];
e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenanc
f. Include the following information in organizational maintenance records: [Assignment: organization-defined inform
a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organ
b. Verify that non-escorted personnel performing maintenance on the system possess the required access authoriza
c. Designate organizational personnel with required access authorizations and technical competence to supervise th
possess the required access authorizations.

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] media protection polic
2. Procedures to facilitate the implementation of the media protection policy and the associated media protection co
procedures; and
c. Review and update the current media protection:
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] physical and environm
2. Procedures to facilitate the implementation of the physical and environmental protection policy and the associated
policy and procedures; and
c. Review and update the current physical and environmental protection:
a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides
b. Issue authorization credentials for facility access;
c. Review the access list detailing authorized facility access by individuals [Assignment: organization-defined freque
d. Remove individuals from the facility access list when access is no longer required.
a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility wh
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress and egress to the facility using [Selection (one or more): [Assignment: organization-defined ph
b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points];
c. Control access to areas within the facility designated as publicly accessible by implementing the following controls
access controls];
d. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts
e. Secure keys, combinations, and other physical access devices;
f. Inventory [Assignment: organization-defined physical access devices] every [Assignment: organization-defined fre
g. Change combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combina
possessing the keys or combinations are transferred or terminated.
a. Monitor physical access to the facility where the system resides to detect and respond to physical security inciden
b. Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment:
of events]; and
c. Coordinate results of reviews and investigations with the organizational incident response capability.
a. Maintain visitor access records to the facility where the system resides for [Assignment: organization-defined time
b. Review visitor access records [Assignment: organization-defined frequency]; and
c. Report anomalies in visitor access records to [Assignment: organization-defined personnel].
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or d
evacuation routes within the facility.
Employ and maintain fire detection and suppression systems that are supported by an independent energy source.
a. Maintain [Selection (one or more): temperature; humidity; pressure; radiation; [Assignment: organization-defined e
where the system resides at [Assignment: organization-defined acceptable levels]; and
b. Monitor environmental control levels [Assignment: organization-defined frequency].
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are
personnel.
a. Authorize and control [Assignment: organization-defined types of system components] entering and exiting the fa
b. Maintain records of the system components.
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] planning policy that:
2. Procedures to facilitate the implementation of the planning policy and the associated planning controls;
c. Review and update the current planning:
a. Develop security and privacy plans for the system that:

1. Are consistent with the organization’s enterprise architecture;
2. Explicitly define the constituent system components;
3. Describe the operational context of the system in terms of mission and business processes;
4. Identify the individuals that fulfill system roles and responsibilities;
5. Identify the information types processed, stored, and transmitted by the system;
6. Provide the security categorization of the system, including supporting rationale;
7. Describe any specific threats to the system that are of concern to the organization;
8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;
9. Describe the operational environment for the system and any dependencies on or connections to other systems o
10. Provide an overview of the security and privacy requirements for the system;
11. Identify any relevant control baselines or overlays, if applicable;
12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale
13. Include risk determinations for security and privacy architecture and design decisions;
14. Include security- and privacy-related activities affecting the system that require planning and coordination with [A
groups]; and
15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.
b. Distribute copies of the plans and communicate subsequent changes to the plans to [Assignment: organization-de
c. Review the plans [Assignment: organization-defined frequency];
d. Update the plans to address changes to the system and environment of operation or problems identified during pl
e. Protect the plans from unauthorized disclosure and modification.
a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities an
usage, security, and privacy;
b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and ag
authorizing access to information and the system;
c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and
d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowled
organization-defined frequency]; when the rules are revised or updated].
Include in the rules of behavior, restrictions on:

(a) Use of social media, social networking sites, and external sites/applications;
(b) Posting organizational information on public websites; and
(c) Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for c
Select a control baseline for the system.
Tailor the selected control baseline by applying specified tailoring actions.
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] personnel security po
2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security
procedures; and
c. Review and update the current personnel security:
a. Assign a risk designation to all organizational positions;
b. Establish screening criteria for individuals filling those positions; and
c. Review and update position risk designations [Assignment: organization-defined frequency].
a. Screen individuals prior to authorizing access to the system; and
b. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and,
rescreening].
Upon termination of individual employment:

a. Disable system access within [Assignment: organization-defined time period];
b. Terminate or revoke any authenticators and credentials associated with the individual;
c. Conduct exit interviews that include a discussion of [Assignment: organization-defined information security topics]
d. Retrieve all security-related organizational system-related property; and
e. Retain access to organizational information and systems formerly controlled by terminated individual.
a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems a
transferred to other positions within the organization;
b. Initiate [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defin
c. Modify access authorization as needed to correspond with any changes in operational need due to reassignment
d. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period
a. Develop and document access agreements for organizational systems;
b. Review and update the access agreements [Assignment: organization-defined frequency]; and
c. Verify that individuals requiring access to organizational information and systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational systems when access agreements have been u
frequency].
a. Establish personnel security requirements, including security roles and responsibilities for external providers;
b. Require external providers to comply with personnel security policies and procedures established by the organiza
c. Document personnel security requirements;
d. Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transf
possess organizational credentials and/or badges, or who have system privileges within [Assignment: organization-d
e. Monitor provider compliance with personnel security requirements.
a. Employ a formal sanctions process for individuals failing to comply with established information security and priva
b. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period
initiated, identifying the individual sanctioned and the reason for the sanction.
Incorporate security and privacy roles and responsibilities into organizational position descriptions.
1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] risk assessment polic
2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment con
procedures; and
c. Review and update the current risk assessment:
a. Conduct a risk assessment, including:

1. Identifying threats to and vulnerabilities in the system;
2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modifica
processes, stores, or transmits, and any related information; and
3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally i
b. Integrate risk assessment results and risk management decisions from the organization and mission or business
assessments;
c. Document risk assessment results in [Selection: security and privacy plans; risk assessment report; [Assignment:
d. Review risk assessment results [Assignment: organization-defined frequency];
e. Disseminate risk assessment results to [Assignment: organization-defined personnel or roles]; and
f. Update the risk assessment [Assignment: organization-defined frequency] or when there are significant changes t
conditions that may impact the security or privacy state of the system.
(a) Assess supply chain risks associated with [Assignment: organization-defined systems, system components, and
(b) Update the supply chain risk assessment [Assignment: organization-defined frequency], when there are significa
changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain
Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system com

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and services a
2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated syste
and procedures; and
c. Review and update the current system and services acquisition:
a. Determine the high-level information security and privacy requirements for the system or system service in missio
b. Determine, document, and allocate the resources required to protect the system or system service as part of the o
control process; and
c. Establish a discrete line item for information security and privacy in organizational programming and budgeting do
Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verificatio
organizational systems.
a. Obtain or develop administrator documentation for the system, system component, or system service that describ
1. Secure configuration, installation, and operation of the system, component, or service;
2. Effective use and maintenance of security and privacy functions and mechanisms; and
3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;
b. Obtain or develop user documentation for the system, system component, or system service that describes:
1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and m
2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secur
3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;
c. Document attempts to obtain system, system component, or system service documentation when such document
[Assignment: organization-defined actions] in response; and
d. Distribute documentation to [Assignment: organization-defined personnel or roles].

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and communi
2. Procedures to facilitate the implementation of the system and communications protection policy and the associate
protection policy and procedures; and
c. Review and update the current system and communications protection:
2.
a. Procedures [Assignment:
[Selection: Protect against;organization-defined
Limit] the effects of frequency] and
the following following
types [Assignment: organization-defined
of denial-of-service events: [Assignment:events
organ
and
b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined contro
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the
[Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
a. Determine the [Assignment: organization-defined cryptographic uses]; and
b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organi
specified cryptographic use].
a. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assi
remote activation is to be allowed]; and
b. Provide an explicit indication of use to users physically present at the devices.
Maintain a separate execution domain for each executing system process.

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and informatio
2. Procedures to facilitate the implementation of the system and information integrity policy and the associated syste
and procedures; and
c. Review and update the current system and information integrity:
a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organiz
b. Generate internal security alerts, advisories, and directives as deemed necessary;
c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-def
defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
d. Implement security directives in accordance with established time frames, or notify the issuing organization of the
policies, standards, guidelines and operational requirements.

1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] supply chain risk man
2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply
and procedures; and
c. Review and update the current supply chain risk management:
a. Develop a plan for managing supply chain risks associated with the research and development, design, manufact
and maintenance, and disposal of the following systems, system components or system services: [Assignment: orga
system services];
b. Review and update the supply chain risk management plan [Assignment: organization-defined frequency] or as re
environmental changes; and
c. Protect the supply chain risk management plan from unauthorized disclosure and modification.
Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, an
SCRM activities: [Assignment: organization-defined supply chain risk management activities].
a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements
defined system or system component] in coordination with [Assignment: organization-defined supply chain personne
b. Employ the following controls to protect against supply chain risks to the system, system component, or system s
supply chain-related events: [Assignment: organization-defined supply chain controls]; and
c. Document the selected and implemented supply chain processes and controls in [Selection: security and privacy
[Assignment: organization-defined document]].
Establish agreements and procedures with entities involved in the supply chain for the system, system component, o
notification of supply chain compromises; results of assessments or audits; [Assignment: organization-defined inform
Inspect the following systems or system components [Selection (one or more): at random; at [Assignment: organiza
organization-defined indications of need for inspection]] to detect tampering: [Assignment: organization-defined syst
a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent coun
b. Report counterfeit system components to [Selection (one or more): source of counterfeit component; [Assignmen
organizations]; [Assignment: organization-defined personnel or roles]].
Train [Assignment: organization-defined personnel or roles] to detect counterfeit system components (including hard
Maintain configuration control over the following system components awaiting service or repair and serviced or repa
[Assignment: organization-defined system components].
The following CIS Safeguards were NOT mapped to NIST SP 800-53
3.12 Segment Data Processing and Storage Based on Sensitivity
12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work
13.2 Deploy a Host-Based Intrusion Detection Solution
13.7 Deploy a Host-Based Intrusion Prevention Solution
15.7 Securely Decommission Service Providers

16.8 Separate Production and Non-Production Systems
16.13 Conduct Application Penetration Testing
16.14 Conduct Threat Modeling
18.1 Establish and Maintain a Penetration Testing Program
18.2 Perform Periodic External Penetration Tests

18.3 Remediate Penetration Test Findings
18.4 Validate Security Measures
18.5 Perform Periodic Internal Penetration Tests

Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterpr
Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative
access. The computing resources should be segmented from the enterprise's primary network and not be allowed in
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Exam
Endpoint Detection and Response (EDR) client or host-based IPS agent.
Securely decommission service providers. Example considerations include user and service account deactivation; te
of enterprise data within service provider systems.
Maintain separate environments for production and non-production systems.
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to
code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipu
unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design fla
It is conducted through specially trained individuals who evaluate the application design and gauge security risks for
is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses.
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterpr
characteristics should include scope, such as network, web application, API, hosted services, and physical premise
acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be
requirements.
Perform periodic external penetration tests based on program requirements, but no less than annually. External pen
environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and e
qualified party. The testing may be clear box or opaque box. See the Cloud Companion Guide for cloud-specific guid
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Validate security measures after each penetration test. Enterprises should modify rulesets and capabilities to detect
Perform periodic internal penetration tests based on program requirements, but no less than annually. The testing m
Cloud Companion Guide for cloud-specific guidance.

Mapeo CIS y NIST Espanol

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mapeo CIS y NIST Espanol

Uploaded by

Copyright:

Available Formats

This document contains mappings of the CIS Critical Security Controls (CIS Controls) and CIS Safeguards t

CIS Control 6.1 - Establish an Access Granting Process

- This Version of the CIS Controls

Establish and Maintain Detailed

Establish and Maintain Detailed

Establish and Maintain Detailed

1 1.2 Devices Respond Address Unauthorized Assets

Use Dynamic Host Configuration

Use a Passive Asset Discovery

Use a Passive Asset Discovery

2 Inventory and Control of Software Assets

Establish and Maintain a Software

Establish and Maintain a Software

Establish and Maintain a Software

Ensure Authorized Software is

2 2.3 Applications Respond Address Unauthorized Software

2 2.3 Applications Respond Address Unauthorized Software

2 2.3 Applications Respond Address Unauthorized Software

Utilize Automated Software

2 2.5 Applications Protect Allowlist Authorized Software

2 2.5 Applications Protect Allowlist Authorized Software

2 2.6 Applications Protect Allowlist Authorized Libraries

2 2.6 Applications Protect Allowlist Authorized Libraries

2 2.7 Applications Protect Allowlist Authorized Scripts

2 2.7 Applications Protect Allowlist Authorized Scripts

2 2.7 Applications Protect Allowlist Authorized Scripts

2 2.7 Applications Protect Allowlist Authorized Scripts

Establish and Maintain a Data

Establish and Maintain a Data

Establish and Maintain a Data

Establish and Maintain a Data

Establish and Maintain a Data

Establish and Maintain a Data

Establish and Maintain a Data

Configure Data Access Control

Configure Data Access Control

Configure Data Access Control

Configure Data Access Control

3 3.4 Data Protect Enforce Data Retention

3 3.5 Data Protect Securely Dispose of Data

3 3.5 Data Protect Securely Dispose of Data

3 3.6 Devices Protect Encrypt Data on End-User Devices

Establish and Maintain a Data

3 3.8 Data Identify Document Data Flows

3 3.8 Data Identify Document Data Flows

3 3.9 Data Protect Encrypt Data on Removable Media

3 3.9 Data Protect Encrypt Data on Removable Media

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

Segment Data Processing and

Deploy a Data Loss Prevention

Deploy a Data Loss Prevention

Deploy a Data Loss Prevention

Deploy a Data Loss Prevention

3 3.14 Data Detect Log Sensitive Data Access

3 3.14 Data Detect Log Sensitive Data Access

3 3.14 Data Detect Log Sensitive Data Access

4 Secure Configuration of Enterprise Assets and

Establish and Maintain a Secure